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Abstract 

Higher-order  abstract  syntax  is  a  central  representation  technique  in  logical  frameworks  which  maps 
variables  of  the  object  language  into  variables  in  the  meta-language.  It  leads  to  concise  encodings, 
but  is  incompatible  with  functions  defined  by  primitive  recursion  or  proofs  by  induction. 

In  this  paper  we  propose  an  extension  of  the  simply-typed  lambda-calculus  with  iteration  and 
case  constructs  which  preserves  the  adequacy  of  higher-order  abstract  syntax  encodings.  The  well- 
known  paradoxes  are  avoided  through  the  use  of  a  modal  operator  which  obeys  the  laws  of  S4.  In 
the  resulting  calculus  many  functions  over  higher-order  representations  can  be  expressed  elegantly. 
Our  central  technical  result,  namely  that  our  calculus  is  conservative  over  the  simply-typed  lambda- 
calculus,  is  proved  by  a  rather  complex  argument  using  logical  relations. 

We  view  our  system  as  an  important  first  step  towards  allowing  the  methodology  of  LF  to  be 
employed  effectively  in  systems  based  on  induction  principles  such  as  ALF,  Coq,  or  Nuprl,  leading 
to  a  synthesis  of  currently  incompatible  paradigms. 
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1  Introduction 

Higher-order  abstract  syntax  is  a  central  representation  technique  in  many  logical  frameworks, 
that  is,  meta-languages  designed  for  the  formalization  of  deductive  systems.  The  basic  idea  is  to 
represent  variables  of  the  object  language  by  variables  in  the  meta-language.  Consequently,  object 
language  constructs  which  bind  variables  must  be  represented  by  meta-language  constructs  which 
bind  the  corresponding  variables. 

This  deceptively  simple  idea,  which  goes  back  to  Church  [Chu40]  and  Martin-Lof’s  system  of 
arities  [NPS90],  has  far-reaching  consequences  for  the  methodology  of  logical  frameworks.  On  one 
hand,  encodings  of  logical  systems  using  this  idea  are  often  extremely  concise  and  elegant,  since 
common  concepts  and  operations  such  as  variable  binding,  variable  renaming,  capture-avoiding 
substitution,  or  parametric  and  hypothetical  judgments  are  directly  supported  by  the  framework 
and  do  not  need  to  be  encoded  separately  in  each  application.  On  the  other  hand,  higher-order 
representations  are  no  longer  inductive  in  the  usual  sense,  which  means  that  standard  techniques 
for  reasoning  by  induction  do  not  apply. 

Various  attempts  have  been  made  to  preserve  the  advantages  of  higher-order  abstract  syntax  in 
a  setting  with  strong  induction  principles  [DH94,  DFH95],  but  none  of  these  is  entirely  satisfactory 
from  a  practical  or  theoretical  point  of  view. 

In  this  paper  we  take  a  first  step  towards  reconciling  higher-order  abstract  syntax  with  induc¬ 
tion  by  proposing  a  system  of  primitive  recursive  functionals  that  permits  iteration  over  subjects 
of  functional  type.  In  order  to  avoid  the  well-known  paradoxes  which  arise  in  this  setting  (see 
Section  3),  we  decompose  the  primitive  recursive  function  space  A  ^  B  into  a  modal  operator  and 
a  parametric  function  space  (nA)  — ?■  B.  The  inspiration  comes  from  linear  logic  which  arises  from 
a  similar  decomposition  of  the  intuitionistic  function  space  A  D  B  into  a  modal  operator  and  a 
linear  function  space  (IT)  -^B. 

The  resulting  system  allows,  for  example,  iteration  over  the  structure  of  expressions  from  the 
untyped  A-calculus  when  represented  using  higher-order  abstract  syntax.  It  is  general  enough  to 
permit  iteration  over  objects  of  any  simple  type,  constructed  over  any  simply  typed  signature  and 
thereby  encompasses  Godel’s  system  T  [God90].  Moreover,  it  is  conservative  over  the  simply-typed 
A-calculus  which  means  that  the  compositional  adequacy  of  encodings  in  higher-order  abstract 
syntax  is  preserved.  We  view  our  calculus  as  an  important  first  step  towards  a  system  which  allows 
the  methodology  of  logical  frameworks  such  as  LF  [HHP93]  to  be  incorporated  into  systems  such 
as  Goq  [PM93]  or  ALF  [Mag95]. 

The  remainder  of  this  paper  is  organized  as  follows:  Section  2  reviews  the  idea  of  higher  order 
abstract  syntax  and  introduces  the  simply  typed  A-calculus  (A“^)  which  we  extend  to  a  modal 
A-calculus  in  Section  3.  Section  4  then  presents  the  iteration  and  Section  5  definition  by  cases.  In 
Section  6  we  start  with  the  technical  discussion  and  introduce  some  auxiliary  concepts  and  derive 
some  basic  results.  Section  7  shows  the  proof  of  the  canoncial  form  theorem  which  is  the  essential 
for  the  proof  of  type  preservation  (Section  8)  and  our  central  result,  namely  that  our  system  is 
conservative  over  A“^  (Section  9).  Finally,  Section  10  assesses  the  results,  compares  some  related 
work,  and  outlines  future  work. 
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2  Higher-Order  Abstract  Syntax 


Higher-order  abstract  syntax  exploits  the  full  expressive  power  of  a  typed  A-calculus  for  the  repre¬ 
sentation  of  an  object  language,  where  A-abstraction  provides  the  mechanism  to  represent  binding. 
In  this  paper,  we  restrict  ourselves  to  a  simply  typed  meta-language,  although  we  recognize  that  an 
extension  allowing  dependent  types  and  polymorphism  is  important  future  work  (see  Section  10). 
Our  formulation  of  the  simply-typed  meta-language  is  standard. 


Pure  types:  B 

Objects:  M 

Context:  T 

Signature:  S 


(I  I  ^  B2 

X  \  c  \  \x  ■.  A.  M  \  Ml  M2 
■  \'^,x  :  B 

•  I  S,  a  :  type  \T,,c  :  B 


We  use  a  for  type  constants,  c  for  object  constants  and  x  for  variables.  We  assume  that  constants 
and  variables  are  declared  at  most  once  in  a  signature  and  context,  respectively.  As  usual,  we  apply 
tacit  renaming  of  bound  variables  to  maintain  this  assumption,  and  to  guarantee  capture-avoiding 
substitution.  Before  we  proceed  with  the  presentation  of  the  typing  rules  we  introduce  define  the 
union  Ti  U  T2  of  two  contexts  Ti  and  T2. 


Definition  2.1  (Context  Union) 
Rnles: 


TU-  =  T  (^CuBase^ 

U  (T2,  a;  :  A)  =  (Ti  U  T2),  a;  :  A  fCuInd^ 


and  the  lookup  of  the  type  of  a  variable  a;  in  T  as  T(a;)  as: 

Definition  2.2  (Context  Access)  T(a;)  =  A  iff  there  are  Ti,  T2  s.t.  T  =  (Ti,  a;  :  A)  U  T2 

It  might  sound  awkward  to  define  these  notion  in  such  depth  of  detail,  but  reasoning  with  variables 
requires  a  rigorous  treatment.  For  our  typing  and  evaluation  judgments  we  also  fix  a  signature  S 
so  we  do  not  have  to  carry  it  around. 

Definition  2.3  (Typing  jndgment)  T  h  M  :  H  Is  defined  by: 

=  B  S(c)  =  B 

- StpVar  - StpConst 

X  :  B  c  :  B 

^,x  :  Bi\-  M  :  B2  ^  \-  Mi  :  Bi  ^  B2  ^  h  M2  :  Bi 

- StpLam  - StpApp 

^  h  Xx  :  Bi .  M  :  Bi  — )■  B2  ^  1“  Mi  M2  :  B2 

As  running  examples  throughout  the  paper  we  use  the  representation  of  natural  numbers  and 
untyped  A-expressions. 

Example  2.4  (Natnral  nnmbers) 

nat  :  type 

'“0”'  =  z  z  :  nat 

'"ra  +  1”'  =  s  '~n~'  s  :  nat  — ?■  nat 
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Untyped  A-expressions  illustrate  the  idea  of  higher-order  abstract  syntax:  object  language  vari¬ 
ables  are  represented  by  meta-language  variables. 

Example  2.5  (Untyped  A-expressions) 

Expressions  :  e  ::=  x  \  lam  x.e  \  el@e2 

exp  :  type 

'"lam  x.e~'  =  lam  (As  :exp. '"e”')  lam  :  (exp  — ?■  exp)  — ?■  exp 
'~ei@e2~'  =  app  '~e2~'  app  :  exp  — ?■  (exp  — ?■  exp) 

^  Qu  ^  —  Qu 

Not  every  well-typed  object  of  the  meta-language  directly  represents  an  expression  of  the  object 
language.  For  example,  we  can  see  that  '~e~'  will  never  contain  a  /3-redex.  Moreover,  the  argument 
to  lam  which  has  type  exp  — ?■  exp  will  always  be  a  A-abstraction.  Thus  the  image  of  the  translation 
in  this  representation  methodology  is  always  a  /3-normal  and  j^-long  form.  Following  [HHP93],  we 
call  these  forms  canonical  as  defined  by  the  following  two  judgments. 

Definition  2.6  (Atomic  and  canonical  forms) 

1.  T  h  U  j,  H  (V  is  atomic  of  type  B  m 

2.  T  h  U  j)  H  (V  is  canonical  of  type  B  m 
are  defined  by: 

T(s)  =  B  S(c)  =  B  I-  El  f  B2  ^  Bi  T  h  E  fr  B2 

- AtVar  - AtConst  - AtApp 

xlB 

:  Bi  \- V  i\  B2 

- CanAt  - CanLam 

h  E  fr  a  \x:Bi.V  it  Bi  ^  B2 

Canonical  forms  play  the  role  of  “observable  values”  in  a  functional  language:  they  are  in  one- 
to-one  correspondence  with  the  expressions  we  are  trying  to  represent.  For  Example  2.5  (untyped 
A-expressions)  this  is  expressed  by  the  following  property,  which  is  proved  by  simple  inductions. 

Example  2.7  (Compositional  adeqnacy  for  nntyped  A-expressions) 

1.  Let  e  be  an  expression  with  free  variables  among  xi, . . . ,  a;„. 

Then  xi  :  exp, . . . ,  :  exp  h  '~e~'  j)  exp. 

2.  Let  xi  :  exp, . . . ,  :  exp  h  M  j)  exp. 

Then  M  =  '"e”'  for  an  expression  e  with  free  variables  among  si, . . . ,  a;„. 

3.  is  a  bijection  between  expressions  and  canonical  forms  where  '"[e'/sje"'  = 

Since  every  object  in  A“^  has  a  unique  /3?7-equivalent  canonical  form,  the  meaning  of  every 
well-typed  object  is  unambiguously  given  by  its  canonical  form.  Our  operational  semantics  (see 
Definitions  3.3  and  4.29)  computes  this  canonical  form  and  therefore  the  meaning  of  every  well- 
typed  object.  That  this  property  is  preserved  under  an  extension  of  the  language  by  primitive 
recursion  for  higher-order  abstract  syntax  may  be  considered  the  main  technical  result  of  this 
paper. 
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3  Modal  A-Calculus 

The  constructors  for  objects  of  type  exp  from  Example  2.5  are  lam  :  (exp  — ?■  exp)  — ?■  exp  and 
app  :  exp  — ?■  (exp  — ?■  exp).  These  cannot  be  the  constructors  of  an  inductive  type  exp,  since  we  have 
a  negative  occurrence  of  exp  in  the  argument  type  of  lam.  This  is  not  just  a  formal  observation,  but 
has  practical  consequences:  we  cannot  formulate  a  consistent  induction  principle  for  expressions 
in  this  representation.  Furthermore,  if  we  increase  the  computational  power  of  the  meta-language 
by  adding  definition  by  cases  or  an  iterator,  then  not  every  well-typed  object  of  type  exp  has  a 
canonical  form.  For  example, 

•  h  lam  (A£’:exp.  case  E  of  app  Ei  E2  app  E2  Ei  \  lam  E'  lam  E')  :  exp 

but  the  given  object  does  not  represent  any  untyped  A-expression,  nor  could  it  be  converted  to 
one.  The  difficulty  with  a  case  or  iteration  construct  is  that  there  are  many  new  functions  of  type 
exp  —7-  exp  which  cannot  be  converted  to  a  function  in  A“^.  This  becomes  a  problem  when  such 
functions  are  arguments  to  constructors,  since  then  the  extension  is  no  longer  conservative  even 
over  expressions  of  base  type  (as  illustrated  in  the  example  above) . 

Thus  we  must  cleanly  separate  the  parametric  function  space  exp  — ?■  exp  whose  elements  are 
convertible  to  the  form  Xx  :exp.  E  where  E  is  built  only  from  the  constructors  app,  lam,  and  the 
variable  x,  from  the  primitive  recursive  function  space  exp  exp  which  is  intended  to  encompass 
functions  defined  through  case  distinction  and  iteration.  This  separation  can  be  achieved  by  using 
a  modal  operator:  exp  — ?■  exp  will  continue  to  contain  only  the  parametric  functions,  while  exp 
exp  =  (Dexp)  —7-  exp  contains  the  primitive  recursive  functions. 

Intuitively  we  interpret  OB  as  the  type  of  closed  objects  of  type  B.  We  can  iterate  or  distinguish 
cases  over  closed  objects,  since  all  constructors  are  statically  known  and  can  be  provided  for.  This 
is  not  the  case  if  an  object  may  contain  some  unknown  free  variables.  The  system  is  non-trivial 
since  we  may  also  abstract  over  objects  of  type  OA,  but  fortunately  it  is  well  understood  and 
corresponds  (via  an  extension  of  the  Curry-Howard  isomorphism)  to  the  intuitionistic  variant  of 
S4  [DP96]. 

In  Section  4  we  introduce  schemas  for  defining  functions  by  iteration  and  case  distinction  which 
require  the  subject  to  be  of  type  OB.  We  can  recover  the  ordinary  scheme  of  primitive  recursion 
for  type  nat  if  we  also  add  pairs  to  the  language.  Pairs  (with  type  Ai  X  A2)  are  also  necessary  for 
the  simultaneous  definition  of  mutually  recursive  functions.  Just  as  the  modal  type  OA,  pairs  are 
lazy  and  values  of  these  types  are  not  observable — ultimately  we  are  only  interested  in  canonical 
forms  of  pure  type. 

The  formulation  of  the  modal  A-calculus  below  is  copied  from  [DP96]  and  goes  back  to  [PW95]. 
The  language  of  types  includes  the  pure  types  from  the  simply-typed  A-calculus  in  Section  2. 

Types:  A  ::=  a  |  Ai  — ?■  A2  |  OA  |  Ai  X  A2 

Objects:  M  ::=  c  |  a;  |  Aa; :  A.  M  |  Mi  M2 

I  box  M  I  let  box  x  =  Mi  in  M2  \  {Mi,  M2)  |  fst  M  |  snd  M 
Contexts:  P  ::=  ■\V,x  ■.  A 

For  the  sake  of  brevity  we  usually  suppress  the  fixed  signature  S.  However,  it  is  important  that 
signatures  S  and  contexts  denoted  by  T  will  continue  to  contain  only  pure  types,  while  contexts  P 
and  A  may  contain  arbitrary  types.  We  also  continue  to  use  B  to  range  over  pure  types,  while  A 
ranges  over  arbitrary  types.  Definitions  2.1  and  2.2  extend  in  a  trivial  way  to  P  (instead  of  T),  by 
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r(2;)  =  A 


-  T pVarReg 


A{x)  =  A 


A-T\-  X  -.A 

A;r,x  :  Ai  \-  M  :  A2 
A;r  \-  Xx:Ai.  M  :  Ai  A2 


-  T pVarMod 


E(c)  =  B 


-  T pConst 


-  T pLam 


A;ri-2;M  A;ri-c:B 

A;ri-MiM2^Ai  A;ri-M2M2 


A;r  h  Ml  M2  :  Ai 


-TpApp 


A;r  h  Ml  :  Ai  A;r  h  M2  :  A2 
A;r  h  (Ml,  M2)  :AixA2 


T  pPair 


A;r  h  M  :  Ai  x  A2 


T  pFst 


A;r  h  M  :  Ai  X  A2 


-  T  pSnd 


A;ri-fstM:Ai  A;ri-sndM:A2 

A;-\-M:A  A;r  \- Mi  :  DAi  A,  x  :  Ai;r  \- M2  :  A2 

T  pBox 


A;  r  h  box  M  :  OA 


A;  r  h  let  box  x  =  Mi  in  M2  :  A2 


T  pLet 


Figure  1:  Typing  judgment  A;  F  h  M  :  A 


replacing  all  BA  in  the  definition  by  A’s.  The  typing  judgment  A;  F  h  M  :  A  uses  two  contexts: 
A,  whose  variables  range  over  closed  objects,  and  F,  whose  variables  range  over  arbitrary  objects. 


Definition  3.1  (Typing  jndgment)  A;  F  h  M  :  A  is  defined  in  Figure  1. 


As  examples,  we  show  some  basic  laws  of  the  (intuitionistic)  modal  logic  54 . 

Example  3.2  (Laws  of  S4) 

funlift  :  □(Ai  — F  A2)  -A  OAi  -A  0A2 

=  A/:  □(Ai  — F  A2).  Xx :  DAi.  let  box  /'  =  /  in  let  box  a;'  =  a;  in  box  (/'  x') 

unbox  :  DA  — F  A 

=  Xx  :  DA.  let  box  a;'  =  a;  in  x' 
boxbox  :  DA  — F  DDA 

=  Xx  :  DA.  let  box  a;'  =  a;  in  box  (box  x') 


The  rules  for  evaluation  must  be  constructed  in  such  a  way  that  full  canonical  forms  are  com¬ 
puted  for  objects  of  pure  type,  that  is,  we  must  evaluate  under  certain  A-abstractions.  Objects  of 
type  DA  or  Ai  X  A2  on  the  other  hand  are  not  observable  and  may  be  computed  lazily.  We  there¬ 
fore  use  two  mutually  recursive  judgments  for  evaluation  and  conversion  to  canonical  form,  written 
T  h  M  E  :  A  and  T  h  M  jj-  E  :  B,  respectively.  The  latter  is  restricted  to  pure  types,  since 
only  objects  of  pure  type  possess  canonical  forms.  Since  we  evaluate  under  some  A-abstractions, 
free  variables  of  pure  type  declared  in  T  may  occur  in  M  and  V  during  evaluation. 


Definition  3.3  (Evalnation  jndgments)  T  h  M  E  :  A  and  T  h  M  jj-  E  :  B  are  defined  in 
Figure  2. 


Note  that  the  rules  EvApp  and  EvAtomic  are  mutually  exclusive,  since  the  evaluation  of  Mi  in 
an  application  Mi  M2  either  yields  an  atomic  term  (with  a  constant  or  parameter  at  the  head)  or 
a  A-abstraction.  Since  constants  and  parameters  must  have  pure  type,  the  type  of  the  argument 
M2  in  EvAtomic  must  also  be  pure. 
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M  :  a  .  -^,x  :  Bi'r  M  X  i\V  :  B2 

- EcAtomic  - EcArrow 

^'EMfrL:a  ^  ^  M  i\  \x-.Bi.V  ■.  Bi  ^  B2 

^-(2;)  =  A  E(c)  =  B 

- EvVar  - EvConst 

X  ^  X  :  A  ^  \-  c  ^  c  :  B 

■;'$,x  :  Ai  \-  M  :  A2 

-  EvLam 

E  \x:Ai.M  ^  Xx-.Ai.M  :  Ai  A2 

Ml  ^  \x-.A2.M'i  :  A2  ^  Ai  M2  ^  V2  :  A2  E  [V2/x]{Mi)  L  :  Ai 

- EvApp 

E  Ml  M2  L  :  Ai 

E  Ml  ^  Vi  :  B2  — >  Bi  E  M  4-  B2  — >  Bi  E  M2  ff  V2  :  B2 

- EvAtomic 

Ml  M2  ^  Vi  V2  :  Bi 

•M  E  Ml  :  Ai  M2  :  A2 

- EvPair 

E  {Ml,  M2)  ^  {Ml,  M2)  :  Ai  X  A2 

E  M (Mi,M2)  :  Ai  X  A2  E  Mi  L  :  Ai 

- EvEst 

E  fst  M  L  :  Ai 

E  M  (Ml,  M2)  :  Ai  X  A2  E  M2  L  :  A2 

-  EvSnd 

'E  E  snd  M  V  :  A2 

•;•  E  M  :  A 

- EvBox 

d/  E  box  M  box  M  :  DA 

d-  E  Ml  box  Ml'  :  DA  d-  E  [Mi'/2;](M2)  L  :  A2 

- EvLet 

d/  E  let  box  X  =  Ml  in  M2  L  :  A2 


Figure  2:  Evaluation  judgments  'L  h  M  E  :  A  and  'L  h  M  fl-  E  :  B 
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4  Iteration 

The  modal  operator  □  introduced  in  Section  3  allows  us  to  restrict  iteration  and  case  distinction 
to  subjects  of  type  nil,  where  is  a  pure  type.  The  technical  realization  of  this  idea  in  its  full 
generality  is  rather  complex.  We  therefore  begin  by  describing  the  behavior  of  functions  defined 
by  iteration  informally,  incrementally  developing  their  formal  definition  within  our  system.  In 
the  informal  presentation  we  elide  the  box  constructor,  but  we  should  convince  ourselves  that  the 
subject  of  the  iteration  or  case  is  indeed  assumed  to  be  closed. 

Example  4.1  (Addition)  The  usual  type  of  addition  is  nat  — ?■  nat  — ?■  nat.  This  is  no  longer  a 
valid  type  for  addition,  since  it  must  iterate  over  either  its  first  or  second  argument  and  would 
therefore  not  be  parametric  in  that  argument.  Among  the  possible  types  for  addition,  we  will  be 
interested  particularly  in  Dnat  — ?■  nat  — ?■  nat  and  Dnat  — ?■  Dnat  — ?■  Dnat. 

plus  z  n  =  n 

plus  {s  m)  n  =  s  (plus  m  n) 

Note  that  this  definition  cannot  be  assigned  type  nat  — ?■  nat  — ?■  nat  or  Dnat  — ?■  nat  — ?■  Dnat. 

In  our  system  we  view  iteration  as  replacing  constructors  of  a  canonical  term  by  functions 
of  appropriate  type,  which  is  also  the  idea  behind  catamorphisms  [FS96].  In  the  case  of  natural 
numbers,  we  replace  z  :  nat  by  a  term  :  A  and  s  :  nat  — ?■  nat  by  a  function  :  A  — ?■  A. 
Thus  iteration  over  natural  numbers  replaces  type  nat  by  A.  We  use  the  notation  a  i— ?■  A  for  a 
ti/pe  replacement  and  c  M  for  a  term  replacement.  Iteration  in  its  simplest  form  is  written 
as  “it  (a  I— 7-  A)  M  (14)”  where  M  is  the  subject  of  the  iteration,  and  14  is  a  list  containing  term 
replacements  for  all  constructors  of  type  a.  The  formal  typing  rules  for  replacements  are  given 
later  in  this  section;  first  some  examples. 

Example  4.2  (Addition  via  iteration)  Addition  from  Example  4.1  can  be  formulated  in  a  num¬ 
ber  of  ways  with  an  explicit  iteration  operator.  The  simplest  one: 

plus'  :  Dnat  — ?■  nat  — ?■  nat 

=  Am :  Dnat.  \n :  nat.  it  (nat  i— ?■  nat)  m  (z  i— ?■  ra|  s  i— ?■  s) 

Later  examples  require  addition  with  a  result  guaranteed  to  be  closed.  Its  definition  is  only  slightly 
more  complicated. 


plus  :  Dnat  — ?■  Dnat  — ?■  Dnat 

=  Am :  Dnat.  Ara :  Dnat.  it  (nat  i— ?■  Dnat)  m 

( z  I— 7-  ra 

I  s  I— 7-  (Ar :  Dnat.  let  box  r'  =  r  in  box  (s  r'))) 

If  the  data  type  is  higher-order,  iteration  over  closed  objects  must  traverse  terms  with  free 
variables.  We  model  this  in  the  informal  presentation  by  introducing  new  parameters  (written 
as  vx.M)  and  extending  the  function  definition  dynamically  to  encompass  the  new  parameters 
(written  as  “where  f[x)  =  M”). 
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Example  4.3  (Counting  variable  occurrences)  Below  is  a  function  which  counts  the  number 
of  occurrences  of  bound  variables  in  an  untyped  A-expression  in  the  representation  of  Example  2.5. 
It  can  be  assigned  type  Dexp  — ?■  Dnat. 

cntvar  (app  ei  62)  =  plus  (cntvar  ei)  (cntvar  62) 

cntvar  (lam  e)  =  lyx.  cntvar  (e  x)  where  cntvar  a;  =  (s  z) 

It  may  look  like  the  recursive  call  in  the  example  above  is  not  well-typed  since  (e  x)  is  not  closed 
as  required,  but  contains  a  free  parameter  x.  Making  sense  of  this  apparent  contradiction  is  the 
principal  difficulty  in  designing  an  iteration  construct  for  higher-order  abstract  syntax.  As  before, 
we  model  iteration  via  replacements.  Here,  exp  1— ?■  Dnat  and  so  lam  1— ?■  Mi  and  app  1— ?■  M2  where 
Ml  :  (Dnat  — ?■  Dnat)  — ?■  Dnat  and  M2  :  Dnat  — ?■  (Dnat  — ?■  Dnat).  The  types  of  replacement  terms 
Ml  and  M2  arise  from  the  types  of  the  constructors  lam  :  (exp  — ?■  exp)  — ?■  exp  and  app  :  exp  — ?■ 
(exp  —7-  exp)  by  applying  the  type  replacement  exp  1— ?■  Dnat.  We  write 

cntvar  :  Dexp  — ?■  Dnat 

=  Xx  :  Dexp.  it  (exp  1— ?■  Dnat)  x 
(  app  I— 7-  plus 

I  lam  I— 7-  A/ :  Dnat  — ?■  Dnat.  /  (box  (s  z))) 

For  example,  after  /3-reduction  and  replacement  the  term 

cntvar  (box  (lam  {Xx  :exp.  app  x  x))) 


reduces  to 

(A/:  Dnat  — ?■  Dnat.  /  (box  (s  z)))  (Ara:  Dnat.  plus  n  n) 

which  can  in  turn  be  /3-reduced  to  plus  (box  (s  z))  (box  (s  z))  and  finally  to  the  expected  answer 
box  (s  (s  z)). 

Note  that  our  operational  semantics  (see  Definition  4.29)  goes  through  different  intermediate 
steps  than  the  sequence  above,  but  leads  to  the  same  result.  Note  also  how  replacement  re-types 
(and  possibly  renames)  bound  variables  (from  x  :  exp  to  n  :  Dnat)  in  the  canonical  form  to 
guarantee  type  preservation. 


Example  4.4  (Counting  abstractions)  The  function  below  counts  the  number  of  occurrences 
of  A-abstractions  in  an  expression.  It  also  has  type  Dexp  — ?■  Dnat. 

cntlam  (app  ei  62)  =  plus  (cntlam  ei)  (cntlam  62) 

cntlam  (lam  e)  =  s  {vx.  cntlam  (e  x)  where  cntlam  x  =  i) 

Its  representation  as  an  iteration  follows  the  same  ideas  as  above. 

cntlam  :  Dexp  — ?■  Dnat 

=  Xx  :  Dexp.  it  (exp  1— ?■  Dnat)  x 

(  app  I— 7-  Aral :  Qnat.  Ara2  :  Dnat.  plus  rai  ra2 

I  lam  I— 7-  A/:  Dnat  — ?■  Dnat.  let  box  m  =  f  (box  z)  in  box  (s  m)) 
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Example  4.5  (First  order  logic)  First  order  formulas  and  terms  are  represented  as  canonical 
objects  of  type  i  over  the  signature  which  includes  the  following  declarations. 

Terms:  t 

Formulas:  F  ::=  \fx.  F  |  Fi  D  F2  |  =  0 

i  : type 

o  : type 

F~'  =  forall  {Xx  :i.  '"F”')  forall  :  (i  — >  o)  — >  o 

'"Fi  D  F2~'  =  impl  '"Fi”'  '~F2~'  impl  :  o  — >  o  — >  o 

^ti  =  t2~'  =  eq  ^ti~'  '~t2~'  eq  :  i  — >  i  — >  o 

To  count  the  number  of  equality  tests,  we  can  specify  cnteq  with  type  i  — ?■  Do  — ?■  Dnat  as  follows. 
We  require  an  argument  term  t  in  order  to  instantiate  the  universal  quantifier  (since  we  did  not 
assume  any  constants  of  type  i). 

cnteq  t  (forall  F)  =  cnteq  t  (F  t) 

cnteq  t  (impl  Fi  F2)  =  plus  (cnteq  t  Fi)  (cnteq  t  F2) 

cnteq  t  (eq  F  F)  =  box  (s  z) 

A  representation  of  cnteq  in  the  modal  A-calculus  has  the  form: 

cnteq  :  i  — ?■  Do  — ?■  Dnat 

=  At :  i.  AF :  Do.  it  (o  i-)-  Dnat)  F 

(forall  !-)■  A/:i  — >  Dnat.  (/  t) 

I  impl  I— 7-  plus 

I  eq  I— 7-  Ati  :i.  At2  :i.  box  (s  z)) 

Example  4.6  (Booleans)  Boolean  values  can  be  represented  as  objects  of  type  bool  over  the 
signature  which  includes  the  following  declaration: 

Boolean  Values:  b  ::=  T  |  T 

bool  :  type 
'"T”'  =  true  true  :  bool 
'"T”'  =  false  false  :  bool 

Informally  we  can  represent  the  Boolean  operation  and  as  follows.  We  must  require  all  argument 
and  all  result  types  are  boxed,  because  the  result  of  and  will  be  used  as  subject  for  another  case 
distinction. 

and  true  B2  =  B2 
and  false  B2  =  false 

A  formal  representation  of  and  is  then  as  follows: 

and  :  Dbool  — >  Dbool  — >  Dbool 
=  AFi :  nbool.  AF2  :  nbool. 

it  (bool  I— 7-  Dbool)  Bi 
( true  I— 7-  B2 
I  false  I— 7-  box  false) 
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Example  4.7  (Constant  test)  Below  we  define  a  function  which  returns  true  if  a  given  functional 
object  of  type  exp  — ?■  exp  (see  Example  2.5)  is  constant  with  respect  to  the  first  argument. 

const  As:  exp.  (lam  {Xy.exp.  E  x  y))  =  z/y.  const  As:  exp.  {E  x  y) 

where  const  As  :exp.  y  =  true 

const  As:exp.  (app  [Ei  x)  (£’2  s))  =  and  (const  As:exp.  [Ei  s))  (const  As:exp.  (£2  *)) 

const  As  :  exp.  s  =  false 

The  representation  of  const  has  type  □(exp  — ?■  exp)  — ?■  Dbool. 

const  :  □(exp  — ?■  exp)  — ?■  □bool 

=  A£:  □(exp  — >  exp),  it  (exp  i-)- □bool)  £ 

( lam  !-)■  A£ :  □bool  — >  □bool.  (£  (box  true)) 

I  app  I— 7-  and)  (box  false) 

Note  how  the  last  case  in  the  informal  definition  is  represented  by  applying  the  result  of  iteration 
(which  will  be  of  type  □bool  — ?■  □bool)  to  box  false. 

Example  4.8  (Translation  to  de  Brnijn  representation)  Untyped  A-expressions  in  de 
Bruijn  form  are  represented  as  canonical  objects  of  type  db  over  the  signature  which  includes  the 
natural  numbers  and  the  following  declarations. 

DeBruijn  expressions:  d  ::=  n  \  lam  d  \  di@d2 

db  : type 

'~n~'  =  var  '~n~'  var  :  nat  — ?■  db 

'"lam  d~'  =  Im  '~d~'  Im  :  db  — ?■  db 

'~di@d2~'  =  ap  '~di~'  '~d2~^  ap  :  db  — ?■  db  — ?■  db 

A  translation  from  the  higher-order  representation  to  de  Bruijn  form  has  type  □exp  — ?■  db  and  is 
represented  formally  in  terms  of  an  auxiliary  function  trans  of  type  □exp  — ?■  □nat  — ?■  db: 

trans  (lam  e)  n  =  Im  [vx.  trans  (e  x)  (s  n) 

where  (trans  x  m)  =  var  (minus  m  n)) 
trans  (app  ei  62)  ra  =  ap  (trans  ei  n)  (trans  62  n) 
dbtrans  e  =  trans  e  z 

At  the  top  level  (when  translating  a  closed  term)  we  can  apply  this  to  any  natural  number  to  obtain 
a  function  of  type  □exp  — ?■  db.  Assuming  functions  minus  (whose  definition  we  discuss  in  the  next 
section)  and  unbox  (see  Example  3.2),  this  is  implemented  by  the  following  iteration. 

trans  :  □exp  — ?■  □nat  — ?■  db 

=  \x  :  □exp.  it  (exp  1— ?■  □nat  — ?■  db)  x 

( lam  I— 7-  A/ :  (□nat  — ?■  db)  — ?■  (□nat  — ?■  db) . 

Ara :  □nat.  Im  (/  (Am :  □nat.  var  (unbox  (minus  m  n))) 

(let  box  ra'  =  ra  in  box  (s  n'))) 

I  app  I— 7-  A/i :  □nat  — ?■  db.  A/2 :  □nat  — ?■  db. 

Ara:^nat.ap  (/i  n)  (/2  n)) 

□  exp  —7-  db 

Xx  :  □exp.  trans  x  (box  z) 


dbtrans 
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A  number  of  other  functions  can  be  defined  elegantly  in  this  representation.  For  example,  pairs 
prove  appear  to  be  necessary  for  defining  parallel  /3-reduction  (which  is  convenient  in  the  proof  of 
the  Church-Rosser  theorem). 

Example  4.9  (Parallel  reduction)  Parallel  reduction  is  here  defined  over  expressions  (from  Ex¬ 
ample  2.5).  We  state  the  function  first  informally: 

par  (app  ei  62)  =  par'  ei  (par  62) 

par  (lam  ei)  =  lam  (Aa;:exp.  par  (ei  x)) 

where  par  x  =  x  and  par'  x  =  app  x  63 
par'  (app  ei  62)  =  app  (par'  ei  (par  62)) 

par'  (lam  ei)  =  z/a;.  par  (ei  x) 

where  par  x  =  e'2  and  par'  x  =  app  63 

Parallel  reduction  can  be  represented  in  our  system  —  pairs  are  essential  to  do  so.  The  type  of 
par  is  Dexp  — ?■  exp.  The  (unnamed)  intermediate  function  defined  by  iteration  has  type  Dexp  — ?■ 
exp  X  (exp  —7-  exp). 

par  :  Dexp  — ?■  exp 
=  Ae:nexp. 

fst(  it  (exp  I— 7-  exp  X  (exp  — ?■  exp))  e 

(  app  I— 7-  Aei :  exp  X  (exp  — ?■  exp) .  Ae2  :  exp  X  (exp  — ?■  exp) . 

( (snd  ei)  (fst  62), 

Ae2  :exp.  app  ((snd  Cl)  (fst  62))  e^) 

I  lam  I— 7-  Aei :  (exp  X  (exp  — ?■  exp))  — ?■  (exp  X  (exp  — ?■  exp)). 

( lam  {Xx  :exp.  fst  (ei  (x,  Ae3  :exp.  app  x  63))), 

Ae2  :exp.  fst  (ei  (e^,  Ae3  :exp.  app  63)))) 

The  following  example  illustrates  two  concepts:  mutually  inductive  types  and  iteration  over  the 
form  of  a  (parametric!)  function  (which  we  already  saw  in  Example  4.7). 

Example  4.10  (Substitution  in  normal  forms)  Substitution  is  already  directly  definable  by 
application,  but  one  may  also  ask  if  there  is  a  structural  definition  in  the  style  of  [Mil91].  Normal 
forms  of  the  untyped  A-calculus  are  represented  by  the  type  nf  with  an  auxiliary  definition  for 
atomic  forms  of  type  at. 

Normal  forms  :  N  ::=  P  \  lam  x.N 
Atomic  forms:  P  ::=  x  \  P@N 

The  representation  function  is  now  overloaded,  but  it  should  be  clear  how  to  resolve  it  from 
the  context. 

nf  :  type 

at  :  type 

'~P~'  =  atnf  '~P~'  atnf  :  at  — >  nf 

'"lam  a;. A”'  =  1  (As  :  at. '"A”')  1  :  (at  — >  nf)  — >  nf 

'~P@N~'  =  a  '~P~'  '~N~'  a  :  at  — >  nf  — >  at 


X 
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Substitution  of  atomic  objects  for  variables  is  defined  by  two  mutually  recursive  functions,  one  with 
type  subnf  :  □(at  — ?■  nf)  — ?■  at  — ?■  nf  and  subat  :  □(at  — ?■  at)  — ?■  at  — ?■  at. 

subnf  {Xx  :  at.  1  (Ay :  at.  A  x  y))  Q  =  1  (Ay :  at.  subnf  [Xx  :  at.  [N  x  y))  Q 

where  subat  [Xx  :  at.  y)  Q  =  y) 

subnf  [Xx  :  at.  atnf  [P  x))  Q  =  atnf  (subat  [Xx  :  at.  P  x)  Q) 

subat  [Xx  :  at.  a  [P  x)  [N  x))  Q  =  a  (subat  [Xx  :  at.  P  x)  Q)  (subnf  [Xx  :  at.  N  x)  Q) 

subat  (As  :  at.  a;)  Q  =  Q 

The  last  case  arises  since  the  parameter  x  must  be  considered  as  a  new  constructor  in  the  body  of 
the  abstraction.  The  functions  above  are  realized  in  our  calculus  by  a  simultaneous  replacement 
of  objects  of  type  nf  and  at.  In  other  words,  the  type  replacement  must  account  for  all  mutually 
recursive  types,  and  the  term  replacement  for  all  constructors  of  those  types. 

subnf  :  □  (at  — >  nf)  — >  at  — >  nf 

=  XN :  □  (at  — >  nf) .  XQ  :  at.  it  (nf  i-)-  nf  |  at  i-)-  at)  N 
( 1  !-)■  XF :  at  — >  nf.  1  (Ay :  at.  [F  y)) 

I  atnf  !-)■  XP :  at.  atnf  P 
I  ae^  AP:at.  AlV:nf.aPlV) 

Q 

Via  y-contraction  we  can  see  that  substitution  amounts  to  a  structural  identity  function. 

Example  4.11  (Further  mathematical  operations)  Below  we  define  the  multiplication  and 
the  exponentiation  function  which  we  can  informally  define  as  follows: 

mult  z  V  =  z 

mult  (s  M)  N  =  plus  (mult  M  N)  N 

ex  M  z  =  s  z 

ex  M  [s  N)  =  mult  (ex  M  N)  M 

The  representation  of  mult  and  ex  has  type  □nat  — ?■  □nat  — ?■  □nat. 

mult  :  □nat  — ?■  □nat  — ?■  □nat 

=  AM :  □nat.  AV:  □nat.  it  (nat  i-)- □nat)  M 

( z  I— 7-  box  z 

I  s  !-)■  AM' :  □nat.  (plus  M'  N)) 

ex  :  □nat  — ?■  □nat  — ?■  □nat 

=  AM :  □nat.  AV:  □nat.  it  (nat  i-)- □nat)  V 

( z  I— 7-  box  (s  z) 

I  s  !-)■  XN' \  □nat.  (mult  M  N')) 

Example  4.12  (Ackermann’s  function)  Below  we  define  the  function  which  we  can  informally 
define  as  follows: 

A  z  =  Xx:  nat.  (s  x) 

A  [s  n)  =  Xx:  nat.  (A^  n)  x 
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where  (A^  n)  stands  for  (A. ..(A  n)).  The  representation  of  A  has  type  Dnat  — ?■  Dnat  — ?■  Dnat. 

a;-times 

A  :  Dnat  — >  Dnat  — >  Dnat 

=  Am:nexp.  it  (nat  i— ?■  Dnat  — ?■  nat)  m 

( z  I— 7-  Xx:  Dnat.  let  box  a;'  =  a;  in  box  (s  x') 

I  s  I— 7-  A/ :  Dnat  — ?■  Dnat.  Xx  :  Dnat.  it  (nat  i— ?■  Dnat)  x  (z  i— ?■  a; ,  s  i— ?■  /)) 

The  following  example  shows  a  scheme  how  to  represent  primitive  recursion  over  natural  num¬ 
bers  using  pairs. 

Example  4.13  (Primitive  recursion  over  natural  numbers)  Below  we  define  a  general 
primitive  recursive  scheme  over  natural  numbers.  Let  A  be  the  result  type  of  the  primitive  re¬ 
cursion.  For  every  ■  A  and  Ng  :  Dnat  — ?■  A  — ?■  A  we  define  informally  the  primitive  recursion 
scheme: 

pr  z  = 

pr  (s  m')  N  =  Ng  m'  (pr  m') 

The  representation  of  pr  must  make  use  of  pairs.  The  reason  for  this  is  that  the  natural  number 
must  be  passed  as  an  argument  to  Ng.  Using  a  standard  iteration  scheme  would  not  be  enough, 
because  this  information  is  discarded.  Pairs  allow  to  recover  the  structure  of  this  natural  number: 

pr  :  Dnat  — ?■  A 
=  Am:nnat.snd 

(it  (nat  !-)■  Dnat  X  A)  m 
( z  I— 7-  (box  z,  Nz) 

I  s  I— 7-  Ap:  Dnat  X  A.  (box  (let  box  m'  =  (fst  p)  in  s  m'),  Ng  (fst  p)  (snd  p)))) 

We  begin  now  with  the  formal  discussion  and  description  of  the  full  language.  Due  to  the 
possibility  of  mutual  recursion  among  types,  the  type  replacements  must  be  lists  (see  Example  4.10). 

Type  replacement:  lj  ::=  -I  {uj  \  a  A) 

The  types  being  replaced  form  a  type  domain,  i.e.  a  list  of  type  constants. 

Type  domain:  a  ::=  ■  \a,a 

Which  types  must  be  replaced  by  an  iteration  depends  on  which  types  are  mutually  recursive 
according  to  the  constructors  in  the  signature  S  and  possibly  the  type  of  the  iteration  subject  itself. 
If  we  iterate  over  a  function,  the  parameter  of  a  function  must  be  treated  like  a  constructor  for  its 
type,  since  it  can  appear  in  that  role  in  the  body  of  a  function. 

The  types  which  must  be  replaced  by  an  iteration  form  a  type  domain.  The  type  replacement 
must  be  defined  in  such  a  way  that  every  type  in  this  domain  is  replaced  by  some  other  type.  This 
leads  to  the  introduction  of  well-formed  type  replacements  h  cj  :  a. 

Definition  4.14  (Well  formed  type  replacements) 

Rnles: 

\-  u)  \  a 

- WrBase  - Wrind 

h  •  :  •  h  (cj  I  a  I— 7-  A)  :  (a,  a) 
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We  address  now  the  question  of  mutual  dependency  between  atomic  types  by  defining  the 
notion  of  type  subordination  which  summarizes  all  dependencies  between  atomic  types  by  separately 
considering  its  static  part  <ls  which  derives  from  the  dependencies  induced  by  the  constructor  types 
from  S  and  its  dynamic  part  <\b  which  accounts  for  dependencies  induced  from  the  argument  types 
of  B.  We  say  that  type  ai  subordinates  type  02  if  objects  of  the  later  type  can  be  constructed  from 
objects  of  the  former  type. 

But  what  does  it  mean,  to  build  up  objects  of  some  pure  type  B1  In  the  easier  case  where  iter¬ 
ation  is  performed  over  objects  of  atomic  type  a  objects  can  only  be  constructed  from  constructors 
with  target  type  a,  applied  to  some  objects  of  the  argument  types.  In  the  more  complicated  case, 
they  can  be  also  formed  from  variables  introduced  by  A-abstractions.  These  so  called  “parameters” 
or  “pseudo  constructors”  must  be  of  target  type  a.  We  denote  the  target  type  of  a  pure  type  B  by 
t{B). 

Definition  4.15  (Target  types) 


r  a  :=  a 


t{Bi  B2)  :=  t{B2) 


Let  B  be  the  type  of  a  (pseudo)  constructor  and  M  be  an  object  of  this  type  B.  From  which 
other  objects  M  can  be  constructed  can  be  directly  extracted  from  the  type  B,  namely  all  objects 
of  the  argument  types  of  —  regardless  if  they  occur  positively  or  negatively.  For  a  given  pure 
type  B  we  define  the  type  domain  Source(il)  as 

Definition  4.16  (Sonrce  types) 

Source{a)  :=  • 

Source{Bi  — ?■  B2)  :=  {Source{Bi)^T{Bi))  U  Source{B2) 


Note,  that  the  resulting  type  domain  can  only  contain  atomic  types.  For  example  4.10  it  is  easily 
verified  that  the  constructor  type  of  a  yields:  Source(at  — ?■  nf  — ?■  at)  =  (at,  nf). 

To  obtain  a  set  of  all  types  on  which  an  atomic  type  a  may  depend,  we  must  select  a  subset  of 
the  signature  S  containing  all  constant  declaration  with  target  type  a.  This  set  is  called  a  set  of 
constructor  types  for  a  and  denoted  by  N(I];  a): 


Definition  4.17  (Constrnctor  types) 

N(-;a)  = 

S{Ti' ,  X  :  B-,a)  = 


S{J2';a),x:B  ifT(B)=a 
S{T,'-,a)  otherwise 


In  a  more  general  setting  we  need  the  set  of  all  constructor  declarations  of  a  mutual  inductive 
type.  Type  domains  have  been  introduced  to  represent  the  set  of  all  participating  atomic  types  for 
mutual  inductive  datatypes.  The  definition  of  the  set  of  constructors  S*{T,-,a)  follows  easily: 

Definition  4.18  (Constrnctor  types  over  type  domains) 

N*(S;.)  =  • 


N*(I];a,a)  = 


N*(S;a)  UN(S;a) 
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The  intuition  behind  this  construction  is  to  define  the  subordination  relation  which  refiects  the 
dependencies  of  atomic  types  in  between  each  other.  Target  types  and  source  types  help  us  to 
capture  the  dependencies  for  one  pure  type:  the  target  type  depends  on  each  source  type.  These 
dependencies  are  captured  by  the  immediate  subordination  relation: 

Definition  4.19  (Immediate  snbordination  relation)  Let  B  a  type. 

a  <B  t{B)  iff  a  ^  Source{B) 

If  we  take  the  union  of  all  immediate  subordination  relations  which  are  induced  by  a 
(sub)signature  S,  we  obtain  the  static  subordination  relation.  It  is  called  static  because  the  signa¬ 
ture  is  fixed. 

Definition  4.20  (Static  snbordination  relation)  Let  T,  be  a  signature. 

®r  <ls  iff^  =  c  :  B  and  either  ai  <b  <22  or  ai  <1^'  ®2 

If  we  consider  Example  4.10  again  we  see  that  the  static  subordination  relation  of  the  signature  is 
the  union  of  all  immediate  subordination  relations: 

•  a  :  at  — ^  nf  — ^  at  : 

^at->nf->at  ^at->nf->at 


•  atnf  :  at  — ?■  nf: 

^at->nf 


•  1  :  (at  — >  nf)  — >  nf: 

^at->nf->nf  ^at->nf->nf 

Putting  it  all  together  we  obtain  the  static  subordination  relation: 

at  <ls  at,  nf  <ls  at,  at  <ls  nfj  nf  <ls  nf 

Note  that  the  static  subordination  relation  need  not  to  be  transitive  or  reflexive. 

Constructor  types  are  not  the  only  source  of  subordination.  As  briefly  mentioned  above,  another 
source  are  types  introduced  by  the  type  of  the  iteration  subject.  Fortunately,  it  is  always  closed 
which  guarantees  that  no  free  variables  can  be  encountered  while  traversing  its  structure  except 
internal  variables  defined  in  the  body  of  the  subject.  Iteration  over  functional  objects  can  introduce 
new  dependencies  into  the  subordination  graph  as  the  following  example  shows. 

Example  4.21  (Higher-order  logic)  First  order  logic  can  be  easily  extended  to  higher  order 
logic  by  introducing  a  reification  function  from  formulas  to  terms.  To  count  the  number  of  equality 
tests,  we  extend  the  subject  of  iteration  defined  in  Example  4.5  by  a  new  abstraction  over  the 
reification  function  r  which  has  type  o  — ?■  i.  The  introduction  of  a  reification  function  makes  terms 
and  formulas  depend  mutually  on  each  other.  We  therefore  must  distinguish  between  cnteqi  of 
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type  □((o— 7-  i)  — 7-  i)  — ?■  Dnat  which  counts  occurrences  of  equality  tests  in  terms  and  cnteqo  of 
type  □((o  — 7-  i)  — 7-  o)  — 7-  Dnat  which  counts  them  in  formulas. 


cnteqo  Ar  :o  — ?■  i.  (forall  {Xx  :i.  F  r  x)) 

cnteqo  Ar:o  — ?■  i.  (impl  {Fi  r)  {F2  r)) 
cnteqo  Ar:o  — ?■  i.  (eq  {ti  r)  (O  r)) 
cnteqi  Ar  :o  — ?■  i.  (r  {F  r)) 


lyx.  (cnteqo  Ar  :o  — ?■  i.  (F  r  a;)) 

where  cnteqi  Ar :  o  — ?■  i.  a;  =  z 
plus  (cnteqo  Ar  :o  — ?■  i.  {Fi  r))  (cnteqo  Ar  :o  — ?■  i.  {F2  r)) 
s  (plus  (cnteqi  Ar  :o  — ?■  i.  (F  r))  (cnteqi  Ar  :o  — ?■  i.  (O  r))) 
cnteqo  Ar : o  — ?■  i.  (F  r) 


The  representation  of  cnteqo  in  the  modal  A-calculus  has  the  form: 


cnteqo  :  n((o  — ?■  i)  — ?■  o)  — ?■  Dnat 

=  AF :  □((o  — 7-  i)  — 7-  o).  it  (o  1— ?■  Dnat,  i  1— ?■  Dnat)  F 
( forall  !-)■  A/ :  Dnat  — >  Dnat.  (/  (box  z)) 

I  impl  I— 7-  plus 

I  eq  I— 7-  Am :  Dnat.  Xn :  Dnat.  let  box  r  =  plus  m  ra  in  box  (s  r)) 


It  is  clear  that  the  type  of  the  iteration  subject  must  be  taken  into  consideration  when  defining 
the  general  subordination  relation.  We  proceed  now  by  characterizing  all  those  dependencies  which 
arise  from  the  type  B  of  the  iteration  subject  which  will  lead  to  the  notion  of  dynamic  subordination. 
From  the  example  above  we  can  see  that  variables  occuring  in  the  closed  subject  of  iteration  can  be 
interpreted  as  constructors  if  we  look  at  the  object  from  a  purely  syntactical  point  of  view.  We  call 
those  variables  pseudo  constructors  and  correspondingly  their  types  as  pseudo  constructor  types. 

A  closer  look  reveals  that  not  all  abstractions  in  a  closed  term  introduce  relevant  pseudo  con¬ 
structors:  Relevant  with  respect  to  the  subordination  relation  are  only  the  top-level  pseudo  con¬ 
structors  which  are  introduced  as  variables  of  the  argument  types  of  B.  All  others  are  of  some 
subtype  of  either  a  constructor  type  from  the  signature  or  a  pseudo  constructor  type.  Pseudo 
constructor  types  of  B  are  hence  inductively  defined  as  follows. 

Definition  4.22  (Set  of  psendo  constrnctor  types) 

PCT{a)  =  {} 

PCF{Bt  ^  B2)  =  {Fi}  U  PCF{B2) 

In  the  next  step  we  define  the  dynamic  subordination  relation  which  can  be  directly  determined 
from  the  set  of  pseudo  constructor  types.  We  follow  the  same  idea  as  in  the  static  case:  every  pseudo 
constructor  type  in  PCT(F)  induces  a  new  set  of  dependencies.  Taking  all  these  sets  together  we 
finally  arrive  at  the  dynamic  subordination  relation: 


Definition  4.23  (Dynamic  snbordination  relation)  Let  B  be  a  pure  type. 

ai  <Ib  02  F  =  Fi  — ?■  F2  and  either  ai  <Bi  ^2  or  ai  <Ib2  «2 

Consider  type  F  =  □((o  — ?■  i)  — ?■  o)  from  the  previous  example.  The  dynamic  subordination  relation 
is  then  characterized  by  o  <Ib  i  and  i  <Ib  i.  o  <Ib  i  says  now  that  we  have  a  pseudo  constructor 
which  behaves  as  some  kind  of  embedding  function  from  formulas  into  individuals.  It  should  be 
immediately  evident,  that  the  presence  of  such  an  embedding  function  turns  the  first  order  logic 
from  example  4.5  into  a  higher  order  logic.  Static  and  dynamic  subordination  represent  local 
dependencies  between  atomic  types.  To  obtain  the  global  subordination  relation,  the  union  of  both 
must  be  closed  under  transitivity. 
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Definition  4.24  (Global  snbordination  relation)  Let  B  be  a  pure  type. 

(  <Is  U  <Ib  )* 

Note,  that  that  the  global  subordination  relation  is  not  necessarily  reflexive.  On  the  other  hand 
if  the  subordination  relation  is  reflexive,  i.e.  for  the  atomic  type  t{B),  t{B)  t{B)  holds,  then 

t{B)  is  recursive  or  inductive  with  respect  to  B. 

The  notion  of  inductive  type  and  subordination  are  very  closely  related.  In  fact,  the  subordina¬ 
tion  relation  is  defined  with  the  purpose  to  extend  the  notion  of  inductive  types.  Note  that  static 
type  subordination  is  built  into  calculi  where  inductive  types  are  defined  explicitly  (such  as  the 
Calculus  of  Inductive  Constructions  [PM93]);  here  it  must  be  recovered  from  the  signature  since  we 
impose  no  ordering  constraints  except  that  a  type  must  be  declared  before  it  is  used.  Our  choice 
to  recover  the  type  subordination  relation  from  the  signature  allows  us  to  perform  iteration  over 
any  functional  type,  without  fixing  the  possibilities  in  advance. 

As  we  have  seen  in  example  4.21,  the  dynamic  subordination  relation  implies  that  terms  and 
formulas  depend  on  each  other.  Hence,  static  subordination  constitutes  only  part  of  the  subor¬ 
dination  relation.  If  we  would  follow  the  paradigm  used  in  Coq  we  must  calculate  internally  a 
syntactical  definition  of  the  new  inductive  type,  where  pseudo  constructors  are  defined  as  real  con¬ 
structors.  This  has  to  be  done  on  the  fly  because  as  we  will  see  later  in  the  typing  rules,  the  type 
of  the  subject  of  iteration  B  must  be  inferred  first.  It  is  indeed  possible  to  proceed  this  way,  and  it 
is  also  possible  to  show  the  equivalence  of  both  formulations  (which  we  are  not  going  to  do  here). 
All  type  constants  which  are  mutually  dependent  with  t{B),  written  I{T,-,B),  form  an  inductive 
datatype. 

Definition  4.25  (Indnctive  type)  Let  B  be  a  type  and  S  a  signature: 

1(1];  B)  :=  {a|r(H)  a  and  a  t{B)} 

Revisiting  example  4.21  extending  first  order  logic  to  higher  order  logic  we  can  calculate  the  in¬ 
ductive  type  I(S;  (o  — ?■  i)  — ?■  o)  =  {o,  i}.  The  set  of  constructors  has  then  the  following  form: 

N*(I];  o,  i)  =  forall  :  (i  — ?■  o)  — ?■  o,  impl  :o— t-o— 7-o,eq:i— 7-i— t-o 

Let  us  now  address  the  question  of  how  the  type  of  an  iteration  is  formed:  If  the  subject  of 
iteration  has  type  B,  the  iterator  object  has  type  {uj){B),  where  {uj){B)  is  defined  inductively  by 
replacing  each  type  constant  according  to  uj,  leaving  types  outside  the  domain  fixed.  The  replace¬ 
ment  application  might  traverse  over  type  constants  not  defined  in  uj.  This  becomes  immediately 
evident  when  we  consider  Example  4.8:  nat  is  traversed,  but  not  defined  in  uj.  Also  in  Example  4.5: 
i  is  not  defined  in  uj.  But  since  objects  of  such  strictly  subordinated  types  do  not  participate  in 
the  process  of  iteration,  their  types  remain  unchanged. 

Definition  4.26  (Type  replacement) 


(^)(«) 

{lj){Bi  B2) 


A  ifuj{a)  =  A 
a  otherwise 


{uj){B,)  ^  {uj){B2) 
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A  similar  replacement  is  applied  at  the  level  of  terms:  the  result  of  an  iteration  is  an  object  which 
resembles  the  (canonical)  subject  of  the  iteration  in  structure,  but  object  constants  are  replaced 
by  other  objects  carrying  the  intended  computational  meaning  of  the  different  cases.  Even  though 
the  subject  of  iteration  is  closed  at  the  beginning  of  the  replacement  process,  we  need  to  deal 
with  embedded  A-abstractions  due  to  higher-order  abstract  syntax.  But  since  such  functions  are 
parametric  we  can  simply  replace  variables  x  of  type  B  by  new  variables  x'  of  type 

Term  replacement:  17  ::=  -I  (17  |  c  i— ?■  M)  |  (17  |  a;  i— ?■  s') 

Initially  the  domain  of  a  term  replacement  is  a  signature  containing  all  constructors  whose 
target  type  is  in  I{T,-,B).  We  refer  to  this  signature  as  B)).  The  form  of  iteration 

follows  now  quite  naturally:  We  extend  the  notion  of  objects  by 

M  ::=...  I  it  (uj)  M  (Q) 

and  extend  the  typing  rules  for  iteration.  To  do  so  we  must  introduce  a  new  typing  judgment  for 
term  replacements  17:  A;  E  h  17  :  (aa)(S).  17  is  well-typed  if  it  replaces  every  constant  of  some 
signature  S  with  some  object  of  correct  type. 

Definition  4.27  (Typing  jndgment  for  iteration)  extending  Definition  3.1: 

A;rhM:n5  h  a;  :  a  A;  T  h  f7  :  (a;)(S') 

- T  pit 

A;r  h  it  (uj)  M  (f7)  :  {uj){B) 

where  a  =  I(S;  B)  and  S'  =  (5*(S;  a) 

A;r  h  f7  :  (a;)(S)  A;  T  h  M  :  (a;)(5') 

- TrBase  - Trind 

A;  r  h  •  :  (a;)(-)  A;  T  h  (f7  |  c  M)  :  (a;)(S,  c  :  B') 

It  should  now  be  clear,  how  to  proceed  when  developing  a  function  which  involves  iteration, 
as  the  one  used  to  translate  A-expressions  into  deBruijn  representation  in  Example  4.8.  In  a  first 
step  it  is  necessary  to  define  the  type  of  the  function,  that  is  to  make  explicit  which  arguments 
must  be  boxed  and  which  not.  This  is  mainly  determined  by  the  subject  of  the  iteration.  On  the 
basis  of  this  type  the  type  replacement  lj  need  to  be  specified.  In  Example  4.8  we  defined  iteration 
over  an  object  of  type  Dexp.  During  the  traversal  of  the  term,  exp  was  mapped  into  a  function  of 
type  Dnat  — ?■  db  because  the  relative  de  Bruijn  index  changes  during  the  traversal.  This  is  already 
enough  to  fix  the  type  replacement:  lj  =  exp  i— ?■  Dnat  — ?■  db. 

In  a  second  step  the  set  of  constructors  which  must  be  replaced  is  determined  by  the  inductive 
datatype  I(S;exp)  =  exp.  By  definition  it  follows  that 

(5*(S;  exp)  =  lam  :  (exp  — ?■  exp)  — ?■  exp,  app  :  exp  — ?■  (exp  — ?■  exp) 

The  operational  character  of  iteration  makes  it  now  necessary  to  define  the  term  replacement, 
mapping  lam  and  app  to  objects  Mi  and  M2,  respectively.  The  typing  rule  TrBase  and  Trind 
determine  their  types,  but  there  is  also  a  very  intuitive  way  to  do  so:  lam  expects  one  parameter, 
which  we  assume  to  be  transformed  to  a  parameter  of  new  type.  Its  type  results  from  replacing 
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every  occurrence  exp  in  the  type  of  the  parameter  by  the  new  type  Dnat  — ?■  db  —  which  is  exactly 
expressed  by  the  type  replacement.  Hence  Mi  must  have  the  type 

^^Dnat  — ^  db^  — ^  ^Dnat  — ^  db^^  — ^  ^Dnat  — ^  db^ 

and  similarly  the  replacement  for  app  must  have  type 

^Dnat  — ^  db^  — ^  ^Dnat  — ^  db^  — ^  ^Dnat  — ^  db^. 

The  iteration  itself  has  hence  the  type  (Dnat  — ?■  db). 

Applying  a  term  replacement  must  be  restricted  to  canonical  forms  in  order  to  preserve  types. 
Fortunately,  our  type  system  guarantees  that  the  subject  of  an  iteration  can  be  converted  to 
canonical  form.  Applying  a  replacement  then  transforms  a  canonical  form  V  of  type  B  into  a 
well-typed  object  (cj;0)(E)  of  type  We  call  this  operation  elimination.  It  is  defined  along 

the  structure  of  V . 

Definition  4.28  (Elimination) 


(a;;0)(c) 

_  {  M  */0(c)  =  M 

\  c  otherwise 

(ElConst) 

(a;;0)(a;) 

=  Q{x) 

(ElVar) 

fi-,Q){Xx:B.V) 

=  Xx' :  {ll!)[B).  \  X  1-^  x')[V) 

(EILam) 

{u;Q){ViV2) 

=  {u;Q){Vi)  {u;Q){V2) 

(ElApp) 

Constructors  and  variables  must  be  mapped  to  some  objects  defined  in  the  term  replacement 
n.  As  encountered  above,  not  all  types  occuring  in  the  subject  type  of  the  iteration  object  live  in 
the  inductive  datatype.  This  property  implies  that  elimination  might  encounter  constructors  which 
are  not  defined  in  the  term  replacement.  In  this  case  we  do  not  replace  the  constants,  as  already 
indicated  by  the  type  replacement  which  leaves  those  atomic  types  unchanged.  When  eliminating  a 
A-abstraction  Xx:B.V,  EILam  applies:  x,  introduced  by  the  A-abstraction  is  a  pseudo  constructor 
which  will  be  renamed  to  x' .  The  term  replacement  must  hence  be  extended  by  a;  i— ?■  x'.  The 
elimination  result  must  then  be  abstracted  over  the  newly  introduced  variable  x'  of  type  {uj){B). 

The  term  resulting  from  elimination  might,  of  course,  contain  redices  and  must  itself  be  evalu¬ 
ated  to  obtain  a  final  value.  Thus  we  obtain  the  following  evaluation  rule  for  iteration. 

Definition  4.29  (Evalnation  jndgment)  extending  Definition  3.3: 

h  M  ^  hoxM' -.UB  -hM'fiV'-.B  T  h  (cj;  E  :  (a;)(H) 

- Evit 

T  h  it  (uj)  M  {n)^V  :  {oj){B) 

The  reader  is  invited  to  convince  himself  that  this  operational  semantics  yields  the  expected 
results  on  the  examples  of  this  section. 

Our  calculus  also  contains  a  case  construct  whose  subject  may  be  of  type  OB  for  arbitrary 
pure  B.  It  allows  us  to  distinguish  cases  based  on  the  intensional  structure  of  the  subject.  For 
example,  we  can  test  if  a  given  (parametric!)  function  is  the  identity  or  not.  We  discuss  the  case 
construct  in  the  next  section. 
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5  Case 

Iteration  is  a  powerful  mechanism  which  replaces  a  general  recursion  scheme  in  our  system.  We 
have  seen  that  we  can  recover  primitive  recursion  of  natural  numbers  since  our  calculus  contains 
pairs.  A  quite  natural  question  to  ask  is  if  iteration  can  be  used  to  mimic  definition  by  cases.  We 
currently  have  no  proof  of  this,  but  we  strongly  suspect  that  it  is  not.  We  start  with  some  easy 
examples. 

Example  5.1  (Comparison)  To  check  if  a  natural  number  is  greater  then  0  we  would  like  to 
write  informally 

gtO  m  =  case  m  of  z  false 
I  (s  m')  true 

In  our  system  we  view  case  distinction  as  a  selection  of  a  branch,  triggered  by  the  head  constant 
of  the  case  subject.  We  replace  the  2:  :  nat  by  an  object  ■  A  and  s  :  nat  — ?■  nat  by  Mg  :  Dnat  — ?■  A. 
Note  that  the  argument  type  of  Mg  is  Dnat  and  not  nat  as  one  might  suspect  at  a  first  sight.  This 
is  because  we  know  that  the  case  subject  is  closed  and  hence  its  arguments  must  be  closed,  too. 
It  seems  that  our  construction  does  not  work  for  functional  case  subjects.  To  solve  this  obvious 
contradiction  is  one  of  the  main  difficulties  of  the  design  of  a  suitable  case  operator.  The  case 
construct  in  its  simplest  form  is  written  as  “case  (A)  M  (E)”  where  M  (of  type  Da)  is  the  subject 
of  case,  and  E  is  a  list  containing  matches  for  all  constructors  of  type  a. 

Example  5.2  (Comparison  with  case)  The  greater-than  function  from  example  5.1  can  be  for¬ 
mulated  as  follows: 

gtO  :  Dnat  — >  bool 

=  Am :  Dnat.  case  (bool)  m  (z  false|  s  Am' :  OA.  true) 

Boolean  connectives  serve  as  further  simple  examples  which  show  the  use  of  the  case  constructor 
in  our  system.  We  have  already  seen  a  representation  of  conjunction  in  example  4.6. 

Example  5.3  (Boolean  operators)  Informally  we  can  represent  not  and  or  as  follows.  We  must 
require  all  argument  and  all  result  types  are  boxed,  because  the  result  of  a  boolean  operation  might 
be  used  for  another  case  distinction  —  as  it  is  commonly  the  case. 

not  B  =  case  B  of  or  Bi  B2  =  case  Bi  of 

( true  false  ( true  true 

I  false  true)  |  false  B 2) 

The  formal  representation  of  the  Boolean  operations  is  as  follows: 

not  :  Dbool  — >  Dbool  or  :  Dbool  — >  Dbool  — >  Dbool 

=  Ail:nbool.  =  ABi :  nbool.  Ail2  :  nbool. 

case  (nbool)  B  case  (Dbool)  Bi 

( true  box  false  ( true  box  true 

I  false  box  true)  |  false  B 2) 

Many  more  examples  are  representable  in  our  system.  We  start  with  presenting  subtraction 
(which  we  already  assumed  to  be  representable  in  Example  4.8)  where  we  will  need  a  combination 
of  iteration  and  case  distinction. 
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Example  5.4  (Subtraction)  Among  others  the  type  of  subtraction  could  be  Dnat  — ?■  Dnat  — ?■ 
□  nat.  It  is  informally  defined  as  follows. 

minus  m  z  =  m 

minus  m  (s  n')  =  case  m  of  z  z 

I  (s  m')  (minus  m'  n') 

Both  arguments  of  minus  must  be  closed,  because  we  use  case  distinction  over  the  first  argument 
and  iteration  over  the  second. 

minus  :  Dnat  — ?■  Dnat  — ?■  Dnat 

=  Xx  :  Dnat.  Ay :  Dnat.  it  (nat  i— ?■  (Dnat  — ?■  Dnat))  y 
( z  I— 7-  Am :  Dnat.  m 
I  s  I— 7-  Ara :  (Dnat  — ?■  Dnat) . 

Am:  Dnat.  case  (Dnat)  m 
( z  box  z 

I  s  Am' :  Dnat.  {n  m')))  x 

Case  is  not  restricted  to  range  over  atomic  types  only.  Using  case  over  functional  types  we  show 
in  the  next  example  how  an  identity  function  test  can  be  implemented. 

Example  5.5  (Identity  test)  Below  is  a  function  which  decides  if  a  parametric  function  mapping 
exp  to  exp  is  the  identity  function  or  not.  The  function  has  type  □(exp  — ?■  exp)  — ?■  bool. 

id-test  E  =  case  E  of  Xx  :exp.  (app  [Ei  x)  (£’2  x))  false 
I  Xx  :  exp.  (lam  Ay :  exp.  E  x  y)  ^  false 
I  Xx  :exp.  X  true 

Following  the  same  idea  as  above  we  match  in  the  first  case  E  with  app  :  exp  — ?■  (exp  — ?■  exp) 
and  return  M^.  Instead  of  just  boxing  the  arguments  of  app  we  must  be  more  careful  because  those 
arguments  might  contain  the  free  variable  which  was  introduced  by  the  case  subject.  In  fact  every 
argument  of  app  must  be  closed  under  this  variable:  The  objects  to  be  expected  by  have  hence 
the  form  Xx  :exp.  Ei  and  Xx  :exp.  E2,  both  of  type  exp  — ?■  exp.  Since  x  was  the  only  free  variable 
which  might  occur  in  Ei  or  £2  we  also  know  that  both  A-expressions  are  closed.  Hence  they  can 
be  boxed.  The  type  of  is  therefore  □(exp  — ?■  exp)  — ?■  □(exp  — ?■  exp)  — ?■  □bool. 

A  very  similar  argument  can  be  applied  to  determine  the  type  of  M;,  which  is  the  match  for 
lam  :  (exp  — ?■  exp)  — ?■  exp.  x  can  occur  free  in  the  body  £  of  the  A-expression,  hence  Mi  will  be 
passed  the  boxed  object  Xx  :exp.  £  which  gives  Mi  the  type  □(exp  — ?■  (exp  — ?■  exp))  — ?■  □bool. 

It  should  not  be  forgotten  that  there  is  also  a  third  case  to  be  considered,  x  can  occur  as 
a  pseudo  constructor  in  the  body  of  the  case  subject.  Here  again  as  in  the  iterator  case,  the 
matching  objects  for  pseudo  constructors  are  not  given  immediately,  but  instead  the  result  of  case 
is  a  function  expecting  the  match  object  M^  for  the  pseudo  constructor:  M^  must  be  of  type  □bool. 
Let  us  return  to  the  previous  example: 

Example  5.5  (Identity  test  using  case)  The  identity  test  function  is  hence  represented  as  fol¬ 
lows. 

id-test  :  □(exp  — ?■  exp)  — ?■  □bool 

=  A£ :  □  (exp  — ?■  exp) .  case  (bool)  £ 

(  app  A£i :  □  (exp  — ?■  exp) .  XE2 :  □  (exp  — ?■  exp) .  box  false 

I  lam  A£ :  □(exp  — ?■  exp  — ?■  exp),  box  false)  (box  true) 
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In  the  following  we  develop  two  functions  to  test  if  an  expression  from  Example  2.5  is  a  /3- 
redex  or  if  it  is  an  j^-redex.  It  shows  how  more  than  one  case  construction  can  be  nested,  and 
demonstrates  again  how  case  distinction  proceeds  over  functional  objects.  To  remind  the  reader  /3- 
and  ?7-reduction  are  defined  as  follows. 

/3-reduction:  {Xx  :exp.  Ei)  E2  ^  [E2/x]{Ei) 

?7-reduction:  As: exp.  (Ex)  ^  E  where  x  does  not  occur  free  in  E 

Xx  :exp.  El  E2  is  called  a  /3  redex,  Xx  :exp.  {E  x)  is  called  a  j^-redex  if  x  does  not  occur  free  in  E. 
These  examples  can  be  modified  to  implement  the  reduction. 


Example  5.6  (/3-redex  test)  The  /3-redex  test  function  has  type  Dexp  — ?■  Dbool  and  can  infor¬ 
mally  be  defined  as  follows. 


beta-test  E  =  case  E  of  (lam  E)  false 

I  (app  El  E2)  case  Ei  of  (lam  E')  true 
I  (app  E[  E2)  false 


Its  representation  in  our  calculus  is  hence: 


beta-test  :  Dexp  — ?■  Dbool 

=  AF:nexp.  case  (□  bool)  F 

( lam  AF :  □  (exp  — ?■  exp) .  box  false 
I  app  AFi :  Dexp.  AF2 :  Dexp. 
case  (nbool)  Fi 

( lam  AF' :  □  (exp  — ?■  exp) .  box  true 

I  app  XE[ :  Dexp.  AF2 :  Dexp.  box  false)) 


Example  5.7  (?7-redex  test)  The  function  to  decide  if  a  given  expression  is  a  j^-redex  is  more 
difficult  to  define.  Clearly,  it  will  have  type  Dexp  — ?■  Dbool.  The  main  difficulties  arise  because  the 
decision  cannot  simply  be  made  by  considering  the  structure  of  the  expression,  but  we  must  ensure 
the  side  condition  for  T^-redices.  Fortunately  we  already  defined  the  functions  const  and  id-test 
which  come  handy  for  the  informal  definition  of  the  j^-redex  test. 

eta-test  F  =  case  F  of 

(lam  F)  case  F  of  Aa; :  exp.  (lam  Ay :  exp.  E'  x  y)  ^  false 
I  Xx  :exp.  (app  (F(  x)  (F2  x)) 

(and  (const  E[)  (id-test  F2)) 

I  Xx  :exp.  X  false 
I  (app  El  E2)  false 

Its  representation  in  our  calculus  is  hence: 

eta-test  :  Dexp  — ?■  Dbool 
=  AF:nexp. 

case  (nbool)  F 
( lam  AF :  □  (exp  — ?■  exp) . 
case  (nbool)  F 

( lam  AF' :  n  (exp  — ?■  exp  — ?■  exp) .  box  false 

I  app  XE[ :  n  (exp  — ?■  exp) .  AF2 :  n  (exp  — ?■  exp) . 

(and  (const  F()  (id-test  F^)))  (box  false) 

I  app  AFi :  nexp.  AF2 :  nexp.  (box  false)) 
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We  begin  now  with  the  formal  discussion  of  the  case  construct:  Differently  from  iteration 
which  traverses  the  entire  structure  of  the  subject,  case  only  recurses  down  to  the  head  constructor 
of  the  subject  leaving  possible  arguments  aside.  The  subject  for  selection  is  always  of  the  form 
A^i  :  Bi.  :  Bm-  c  Mi..Mn  with  a  head  constructor  c  of  type  B' .  Operationally  speaking, 

during  the  process  of  selection,  the  head  constructor  is  replaced  by  an  object  M  representing  the 
computational  content  of  the  applying  case.  At  a  first  glance  one  might  suspect  that  M’s  type 
IS  B[  —7-  ..  — 7-  B'^  —7-  A  where  the  B-’s  are  the  argument  types  of  c  and  A  is  the  result  type  of 
the  case.  This  is  not  powerful  enough.  Since  case  distinction  requires  its  subject  to  be  closed,  no 
further  case  distinction  could  be  performed  over  any  of  the  objects  Mi..M„.  To  solve  this  dilemma 
we  close  each  argument  Mi  by  abstracting  over  each  variable  which  might  possibly  occur  free  in 
it.  It  should  be  clear  that  all  those  variables  can  be  determined  because  each  Mi  is  a  subobject  of 
the  case  subject.  This  allows  us  to  finally  close  the  newly  constructed  object  with  a  box.  To  make 
this  more  formal  we  define  a  generalized  A-abstraction  which  we  call  abstraction  closure:  A{T}.  M 
stands  for  a  closed  object  where  M  is  wrapped  in  A-abstractions  defined  by  T. 

Definition  5.8  (Abstraction  cfosnre) 

A{-}.M  :=  M 

\{^i',x:B}.M  :=  A{T'}.  (Aa; :  5.  M) 

and  its  type  is  defined  as  n{T}.  A: 

Definition  5.9  (Abstraction  cfosnre  type) 

n{-}.A  :=  A 

n{T,a;:A'}.A  :=  n{T}.  (A' ^  A) 

Returning  to  our  discussion  we  can  now  write  box  (A{T}.Mj)  for  the  abstracted  and  closed 
versions  of  Mi  where  T  is  a  context  accounting  for  all  free  variables  possibly  occuring  in  Mi.  It 
follows  that  this  argument  closing  operation  determines  the  type  of  M  which  we  discuss  next. 

In  Example  5.5  we  encountered  the  problem  to  assign  types  to  the  arguments  of  the  object  M^ 
and  Ml  which  represent  the  computational  meaning  of  the  cases  app  and  lam,  respectively.  We 
generalize  now  this  approach  which  leads  to  the  notion  of  case  types.  As  pointed  out  above,  the 
general  form  of  the  canonical  case  subject  is  A{T}.cMi..M„  with  a  head  constructor  c  of  type 
B' .  The  type  of  the  case  subject  is  hence  n{T}.a  for  some  atomic  type  a.  The  set  of  different 
constructors  c  constitutes  all  constructors  with  the  same  target  type  a.  All  pseudo  constructors 
defined  in  T  having  target  type  a  could  also  occur  in  the  position  of  c.  Consider  now  some  (pseudo) 
constructor  c  of  type  B'  where  t{B')  =  a.  Selecting  a  case  for  this  constructor  c  means  to  select 
an  object  Me  —  carrying  the  intended  computational  meaning  for  this  case.  Me  must  be  function, 
which  expects  as  parameters  box  A{T}.  Mi...  box  A{T}.  M^  as  has  be  motivated  above.  Me’s  type 
can  hence  be  derived  from  the  type  of  the  case  subject  B  =  n{T}.  a,  the  result  type  of  case  A  and 
the  type  of  the  constructor  c  :  B' .  We  abbreviate  the  type  by  writing  C  (n{T}.  a.  A,  B'). 

Definition  5.10  (Case  types) 

C  mm.  a),  Ay)  :=  {j*, 

C  ((n{T}.a),A,(5i^52))  :=  □(n{T}.  5i)  ^  C  ((n{T}.  a).  A,  ^2) 
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Note,  that  in  the  presentation  so  far  t{B)  =  t{B')  holds.  Hence  the  otherwise  case  in  the 
definition  above  does  not  apply.  This  changes  if  we  direct  our  attention  to  the  type  of  the  case 
object  itself  since  pseudo  constructors  must  be  replaced  by  variables  of  case  types.  That  is  if 
the  case  subject  is  of  type  H  =  Hi  — B^  — >  a  then  the  type  of  the  case  construct  is 
C  (H,  A,  Hi)  —7-  ...  —7-  C  {B,  A,  Bm)  — >  A.  It  is  obvious  that  there  might  be  pseudo  constructor 
types  Bi  which  target  type  is  different  from  a.  In  those  cases,  the  atomic  case  types  C  (H,  A,  B') 
must  be  well-defined  which  makes  the  otherwise  clause  necessary.  In  fact  those  pseudo  constructors 
can  never  occur  in  head  position.  Even  though  we  wish  to  omit  them  from  the  definition  of  case 
types  in  general  —  as  the  following  example  shows  —  we  do  not  pursue  this  idea  here,  but  leave  it 
to  future  research. 

Example  5.11  (Equality  formula  test  for  higher  order  logic)  Consider  a  function  which 
returns  true  if  the  a  higher-order  formula  is  of  the  form  H  =  t2,  else  false.  We  call  this  func¬ 
tion  eq-test.  The  type  of  this  function  should  be  □((o  — ?■  i)  — ?■  o)  — ?■  Dbool.  Informally  we  would 
write: 


eq-test  F  =  case  F  of 

Ar :  o  — 7-  i.  forall  Xx  :o.  F'  r  x  false 
Ar :  o  — 7-  i.  impl  {F[  r)  {F^  r)  false 
Ar :  o  — 7-  i.  eq  (f  j  r)  (^2  r)  true 

The  straightforward  representation  of  this  function  in  our  system  would  be 

eq-test  :  □  ( (o  — >  i)  — >  o)  — >  (□((o  — >  i)  — >  o)  — >  i)  — >  Dbool 

=  AH:  □((o  — >  i)  — >  o). 
case  (nbool)  H 

( forall  AH' :  □  ( (o  — >  i)  — >  i  — >  o) .  box  false 

I  impl  AH( :  □  ( (o  — 7-  i)  — ?■  o) .  AH2 :  □  ( (o  — ?■  i)  — ?■  o) .  box  false 
I  eq  At j  :  □  ( (o  — 7-  i)  — 7-  i) .  Xt'2  :  □  ( (o  — ?■  i)  — ?■  i) .  box  true) 

The  type  of  this  representation  of  eq-test  has  an  unexpected  form,  we  would  expect  that  its  type 
is  □((o  — 7-  i)  — 7-  o)  —7-  nbool.  The  reader  can  convince  himself,  that  the  type  of  eq-test  is  correct, 
and  that  the  second  argument  type  □((o  — ?■  i)  — ?■  o)  — ?■  i  represents  the  branch  for  the  pseudo 
constructor.  The  pseudo  constructor  itself  happens  to  be  insignificant  because  it  cannot  occur 
in  head  position  but  our  system  currently  does  not  check  this  special  case  for  simplicity  of  the 
development  below  and  the  proofs  in  section  7.  Thus  a  dummy  argument  must  be  supplied. 

The  type  of  case  construction  case  (A)  M  E  is  called  complete  case  type  C*  (H,  A,  H)  where  H 
is  the  type  of  M.  C*  (H,  A,  H')  is  defined  for  some  pure  type  H'  as  follows. 

Definition  5.12  (Complete  case  type) 

C*  (H,  A,  a)  :=  C  (H,  A,  a) 

C*  (H,A,(Hi^H2))  :=  C  (H,A,Hi)  (H,A,H2) 

Case  distinction  is  now  defined  similarly  to  iteration.  The  result  of  the  selection  process  — 
i.e.  executing  the  case  construct  —  is  an  object  which  resembles  the  (canonical)  subject  of  the 
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case  in  structure,  but  the  head  constant  is  replaced  by  some  matched  object  carrying  the  intended 
operational  meaning  of  the  selected  branch.  Even  though  the  subject  of  iteration  is  closed  before  the 
selection  process,  we  need  to  deal  with  embedded  A-abstractions  introducing  pseudo  constructors. 
We  can  simply  replace  variables  x  of  type  B'  by  new  variables  x'  of  type  C  {B,  A,  B'),  where  B  is 
the  type  of  the  case  subject. 

Definition  5.13  (Match) 

Match:  E  ::=  -1(^10=^  M)  \  {E  \  x  ^  x') 


Initially  the  domain  of  a  match  is  a  signature  containing  all  constructors  whose  target  type  is  equal 
to  t{B).  This  signature  is  S{T,-,t{B)).  The  form  of  case  follows  naturally:  We  extend  the  notion 
of  objects  by 

M  ::=  ...  I  case  (A)  M  (E) 

and  extend  the  typing  rules  for  case.  To  do  so  we  must  introduce  a  new  typing  judgment  for 
matches  E:  A;  E  h  E  :  (H  A)(S).  E  is  well-typed  if  it  provides  an  object  of  case  type  for  every 
constant  in  some  signature  S. 

Definition  5.14  (Typing  jndgment  for  case)  extending  definition  3.1 

A;rhM:n5  A;  T  h  E  :  (5  ^  A)(S') 

- T  pCase 

A;  r  h  case  (A)  M  (E)  :  C*  {B,  A,  B) 

where  S'  =  (5(S;  t{B)) 

A;r  h  S  :  (5  ^  A)(S)  A;  T  h  M  :  C  (5,  A,  5') 

- TmBase  - Tmind 

A;  r  h  •  :  (5  ^  A)(-)  A;  T  h  (S  |  c  ^  M)  :  (5  ^  A)(S,  c  :  B') 

To  summarize  definition  by  cases  we  return  to  Example  5.5.  As  in  the  iteration  case,  it  is 
necessary  to  first  define  the  type  of  the  function,  because  the  subject  of  case  must  be  closed.  For 
our  example  we  expect  a  function  as  input,  which  must  be  passed  as  subject  to  case.  The  result  is 
bool,  which  makes  it  necessary  to  box  it,  otherwise  it  cannot  be  used  as  input  for  other  Boolean 
operations.  Hence  id-test  has  type  □(exp  — ?■  exp)  — ?■  Dbool. 

The  second  step  is  to  examine  the  type  B  =  □(exp  — ?■  exp)  and  the  signature  S  for  possible 
constructors  and  pseudo  constructors  of  this  type.  For  id-test  we  see  that  only  lam,  app,  and  x, 
the  newly  introduced  pseudo  constructor  are  candidates  for  the  head  position.  After  determining 
the  types  of  the  match  objects  M;,  M^,  and  M^,  the  objects  can  be  defined. 

Having  done  this,  a  match  must  be  constructed,  representing  only  the  constructors  from  the 
signature  S  and  the  according  case  objects  (E  =  lam  M;,app  M^).  The  case  construct  is 
then  a  function  which  must  be  applied  to  the  object  M^. 

The  operational  semantics  of  case  is  defined  by  one  rule  using  an  auxiliary  function  which  defines 
the  process  of  selection.  The  subject  of  case  must  be  closed.  Therefore  we  can  define  selection  along 
its  canonical  form.  The  selection  process  then  transforms  this  canonical  object  V  of  type  B  into 
A;E;-}(E)  of  type  C*  {B,A,B). 

Definition  5.15  (Selection) 
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{_B  A;  E; 'I’Kc)  =  E(c)  (SeConst) 

{_B  ^  A;  E; 'I’Ka;)  =  E(a;)  (SeVar) 

{B  ^  =  \u-.C{B,A,B').{B^  A-'E,x^u-{^i,x-.B')}{V)  (SeLam) 

{B  ^  A-~-^>}{ViV2)  =  {B^A;E;^}{Vi){boxXm.V2)  (SeApp) 


Looking  at  an  arbitrary  canonical  form  of  a  case  subject  of  type  B  we  recognize  that  it  has 
always  the  form  A{'L}.  c  Performing  selection  means,  to  first  traverse  all  A-abstractions, 

and  introducing  new  variables  for  the  functionality  associated  with  each  pseudo-constructor.  This 
is  done  by  rule  SeLam.  While  traversing  the  body  of  the  canonical  form,  each  argument  Mi  must 
be  closed  under  T  and  boxed  which  is  expressed  by  rule  SeApp.  Eventually  the  head  constructor  c 
is  reached.  In  the  case  that  c  is  a  constructor,  SeConst  replaces  the  constant  by  the  object  which  is 
defined  in  the  match  E.  If  c  is  a  pseudo  constructor,  then  it  was  a  variable  name,  which  counterpart 
can  also  be  found  in  the  match  E  by  SeVar. 

The  selection  process  is  triggered  by  an  additional  evaluation  rule,  which  defines  the  operational 
semantics  of  case. 

Definition  5.16  (Evalnation  jndgment)  extending  definition  3.3: 

'ih  M  ^boxM' :UB  ■'rM'i\V'-.B  ^  h  {5  ^  A;  S; -KE')  ^  E  :  C*  (5,  A,  5) 

-  EvCase 

^  h  case  (A)  M  (E)  V  :  C*  {B,  A,  B) 

The  reader  can  now  convince  himself  that  the  operational  semantics  yields  the  expected  results 
on  the  examples  of  this  section.  This  concludes  the  presentation  of  core  system  of  the  modal 
A-calculus.  In  the  next  sections,  we  address  the  meta-theoretical  properties  of  our  system. 
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6  Preliminary  results 

In  the  remainder  of  the  paper  we  seek  to  prove  that  the  modal  A-calculus  we  were  presenting  in  the 
previous  sections  is  a  conservative  extension  over  the  simply  typed  A-calculus  from  Section  2.  This 
theorem  shows  that  every  object  of  pure  type  in  our  system  evaluates  to  an  object  of  canonical 
form  in  the  simply  typed  A-calculus. 

A  milestone  on  the  way  towards  this  proof  is  the  canonical  form  theorem  which  we  present  in 
the  next  section.  It  guarantees,  that  every  object  typable  by  a  pure  type  possesses  a  canonical 
form.  As  a  corollary  of  the  canoncial  form  theorem  we  obtain  a  type  preservation  result  which  says 
that  types  are  preserved  under  evaluation. 

In  the  remainder  of  this  paper  we  will  need  some  more  basic  technical  notions  and  properties 
which  we  are  presenting  in  this  section.  Due  to  the  basic  character,  a  lot  of  the  forthcoming  lemmas 
of  this  section  are  very  clear  and  their  proofs  do  not  require  more  than  easy  inductive  arguments. 
If  appropriate  we  omit  the  proof. 

6.1  Context 

In  section  2  we  defined  a  context  T  as  a  list  of  variables  of  pure  type  which  we  generalized  to  a 
context  L  representing  variables  of  arbitrary  type  in  section  3.  In  the  following  sections  it  will  be 
necessary  to  reason  about  contexts.  The  argument  will  involve  extensions  of  contexts.  Since  this  is 
a  very  standard  and  basic  definition  we  introduce  it  at  this  point  and  show  some  simple  properties 
which  we  need  later. 

Definition  6.1  (Context  extension)  L'  >  L  Context  L'  extends  context  L. 

Rnles: 


L'  >  L 

- CeBase  - Ceind 

L  >  L  T',x  :A>T 

Note  that  defining  a  context  extension  for  L  subsumes  the  notion  of  context  extension  for  pure 
contexts  T.  We  show  now  four  properties  which  are  a  direct  consequence  of  this  definition.  First, 
it  is  clear  that  every  context  extends  the  empty  context.  The  proof  is  done  by  induction. 

Lemma  6.2  (Every  context  extends  the  empty  context)  L  >  • 

Proof:  See  appendix  B.  □ 

Second,  context  extension  is  transitive.  This  can  be  easily  shown  by  induction  over  the  structure 
of  the  second  L'. 

Lemma  6.3  (Transitivity  of  context  extension)  IfT”  >  L'  and  L'  >  L  then  L"  >  L 

Proof:  omitted.  □ 

And  third  if  a  context  L  extends  a  union  of  two  contexts,  then  L  itself  can  be  written  as  a  union  of 
one  of  contexts  and  an  extension  of  the  other.  This  less  obvious  property  is  proven  by  induction. 

Lemma  6.4  (Context  form)  If  T”  >  T  U  T  then  L"  =  L  U  L'  and  L'  >  L 
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Proof:  See  appendix  B.  □ 

As  fourth  and  last  property  of  context  extension  we  show  that  if  one  context  extends  another,  the 
extension  remains  valid  under  union  with  some  other  context. 

Lemma  6.5  (Context  union)  IfT''>T  then  L  U  L'  >  L  U  L 

Proof:  omitted.  □ 

Without  proof  we  just  state  that  the  union  with  the  empty  context  yields  the  same  context. 

Lemma  6.6  (Empty  context  on  the  left)  •  U  T  =  T 

Proof:  omitted.  □ 

Recall  how  the  access  to  a  context  was  defined:  We  write  L(a;)  =  A  iff  we  can  write  L  asLi,a;  G  AU 
L2.  To  be  painstakingly  precise  we  must  require  that  if  L  itself  was  a  union  of  two  contexts,  then 
one  of  the  contexts  must  be  written  as  such  a  union  —  we  omit  the  boring  proof. 

Lemma  6.7  (Context  union  access)  If  (T  U  L0(®)  =  ^  then  L  =  Li,a;:AUL2  or  V  = 
L j ,  a;  :  A  U  L2 

Proof:  omitted.  □ 

Closely  related  to  contexts  are  substitutions  which  we  introduce  after  discussing  the  typing  relation 
of  our  system. 

6.2  Typing 

The  basic  property  which  is  needed  in  the  proof  of  lemma  7.17  in  the  next  section  is  the  admissibility 
of  weakening  for  the  typing  relation.  In  other  words:  An  extension  of  the  typing  context  cannot 
invalidate  typing  derivations.  The  following  lemma  has  two  parts,  the  first  part  discusses  weakening 
in  the  modal  context,  the  second  weakening  in  the  regular  context.  We  omit  the  easy  proof  by 
induction. 

Lemma  6.8  (Weakening  on  typing  relation) 

1.  If  A-,r  h  M  :  A  and  A'  >  A  then  A';  L  h  M  :  A 
A  //  A;  L  h  M  :  A  and  L'  >  L  then  A;  L'  h  M  :  A 


Proof:  omitted.  □ 

Besides  weakening  we  need  another  important  lemma  —  the  substitution  lemma  which  we 
present  in  two  different  flavors.  The  first  substitution  lemma  guarantees,  if  we  replace  a  variable 
from  the  modal  context  by  a  closed  object  of  required  type,  the  result  will  still  be  typable. 

Lemma  6.9  (Modal  substitution  lemma) 
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IfA,y:  Ai;L  h  M  :  A2  and  A;  •  h  M'  :  Ai  then  A;  L  h  [M'/y]{M)  :  A2 


Proof:  omitted.  □ 

The  second  substitution  lemma  is  very  similar  to  the  first:  It  says  that  if  a  variable  from  the 
regular  context  is  replaced  by  an  arbitrary  object  of  correct  type,  then  the  result  will  be  still 
typable. 

Lemma  6.10  (Regular  substitution  lemma) 

//A;L,y  :  Ai  h  M  :  A2  and  A;  L  h  M'  :  Ai  then  A;  L  h  [M7y](M)  :  A2 


Proof:  omitted.  □ 

These  three  lemmas  form  the  basic  properties  of  the  typing  relation  which  we  need  for  the 
formal  discussion  of  our  system.  In  the  next  subsection  we  introduce  the  notion  of  substitution 
and  show  some  related  basic  properties. 

6.3  Substitution 

In  Section  3  we  described  the  distinction  between  the  parametric  function  space  Ai  — ?■  A2  and  the 
primitive  recursive  function  space  Ai  A2  which  made  a  refinement  of  context  T  from  Section  2 
necessary:  We  introduced  the  modal  context  A,  whose  variables  range  over  closed  objects  and 
the  arbitrary  context  L  to  replace  T  —  the  context  representing  variables  of  arbitrary  type  in  the 
simply  typed  A-calculus.  Contexts  and  substitutions  are  closely  related.  A  substitution  is  defined 
as  follows. 


Substitution:  g  ::=  •  |  q,M/x 

Due  to  the  presence  of  two  contexts  we  carefully  distinguish  between  a  modal  substitution 
9  which  substitutes  closed  objects  for  variables  defined  in  a  context  A  and  g  which  substitutes 
arbitrary  objects  for  variables  defined  in  a  context  L.  We  write  9]  g  for  such  a  pair  of  (necessaily 
disjoint)  substitutions.  Being  disjoint  means,  that  9  and  g  do  not  have  any  variable  names  in 
common.  This  is  guaranteed,  because  the  context  A;  L  cannot  declare  the  same  variable  name 
twice. 

In  our  system  substitutions  are  only  applied  to  well-typed  objects.  Moreover  a  substitution 
must  substitute  something  for  every  free  variable  in  the  object.  We  make  this  intuition  about  well- 
typed  substitutions  now  more  precise  by  introducing  a  typing  judgment  A';  L'  h  (0;  g)  :  (A;  L)  for 
substitutions.  9]  g  can  be  applied  to  objects  which  are  well-typed  in  context  A;  L.  The  range  of 
the  substitution  9]  g  are  objects  which  might  depend  on  free  variables  from  A';  Lb 

Definition  6.11  (Typing  of  snbstitntion  jndgment) 

Rnles: 
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- TSBase 

A';r'h(.;-)  :  (•;•) 

A';-hM:A  A';L'h(0;^)  :  (A;  L) 

- TSMod 

A';L'  h  {0,Mjx-,Q)  :  {A,x:  A;  L) 

A';L'hM:A  A'-r'h{0-g)  :  (A;L) 

- TSReg 

A';L'h  {0-,g,M/x)  :  (A;  L,  a;  :  A) 

Note  that  substitutions  satisfy  a  modal  restriction  (rule  TSMod)  which  mirrors  the  restriction  on 
typing  box  .  Throughout  this  paper  we  can  apply  a  substitution  (0;  g)  satisfying  A';  L'  h  (0;  g)  : 
(A;  L)  to  an  object  M,  a  term  replacement  17,  or  a  match  E  only  if 

A;LhM:A  A;  L  h  f7  :  (a;)(5')  A;  L  h  E  :  (5  ^  A)(5') 

holds,  respectively.  The  result  of  the  application  will  then  be  [0]  g]{M),  [0]  £'](f7),  or  [0]  £'](E)  which 
have  the  following  properties,  respectively: 

A';  L'  h  [0-  g]{M)  :  A  A';  L'  h  [0-  ^](f7)  :  A';  L'  h  [0-  ^](E)  :  {B  ^  A){B') 

We  address  now  the  definition  of  substitution  application  by  starting  to  define  how  to  access  a 
substitution  g.  The  definition  follows  similarly  to  the  access  of  contexts  as  presentented  in  Section  2. 
First  a  union  operation  gi  U  g2  is  needed. 

Definition  6.12  (Snbstitntion  Union) 

Rnfes: 

^  U  •  =  ^  (^SbuBase^ 

giU  {g2,  M/x)  =  {giU  g2),  M/x  (^Sbulnd^ 


To  look  up  a  value  of  a  variable  in  a  substitution  we  write  g{x)  which  definition  follows  closely  the 
definition  of  the  lookup  function  for  types  in  a  context  (Definition  2.2). 

Definition  6.13  (Snbstitntion  access) 

Rnfes: 

/  [M  if  X  =  y 


(^Sbalnd  ) 


To  look  up  the  value  in  a  substitution  is  the  first  step  towards  the  application  of  a  substitution 
0;  g  to  an  object  which  we  define  below.  Recall  that  it  is  necessary  to  include  both  substitutions 
in  this  definition  because  of  the  distinction  between  modal  and  non-modal  variables. 


Definition  6.14  (Snbstitntion  application:)  Let  0]  g  a  substitution. 
Rnfes: 
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ifg{x)  =  M 

fSBVar; 

[9-,  ^](c)  =  c 

(^SBConst^ 

[9]  [Xx  :  A.  M)  =  Xx\A.  [0;  g,  x /x]  (M) 

(^SBLam  ) 

[9-,  g]{M^  M2)  =  [9-,  g]{M^)  [9-,  g]{M2) 

("SBApp; 

[9-,g]{{M^,M2))  =  {[9-,g]{M^),[9-,g]{M2)) 

fSBPair; 

[9;g]{fstM)  =  fst  [9]  g\{M) 

fSBFst; 

[0;  {snd  M)  =  snd  [0;  (M) 

fSBSnd; 

[9-,(^{hoxM)  =  box  [0;-](M) 

fSBBox; 

[9]  box  X  =  Ml  in  M2)  =  let  box  x  =  [9]  q]{Mi)  in  [9,  xj x\  £'](M2) 

fSBLet; 

[0;  g](case  (A)  M  (E))  =  case  (A)  [9]  g]{M)  ([0;  £'](E)) 

(^SBCase^ 

[9;  g]{it  (oj)  M  (0))  =  it  (oj)  [9;  g]{M)  {[9;  £<](0)) 

fSBIt; 

Substitution  on  replacements  0  is  defined  as: 

Rules: 

[^;^](-)  =  - 

(^SBOmegaEmpty  ) 

[9;  £<](0|c  M)  =  [9;  £<](0)  |  (c  [9;  q]{M)) 

(^SBOmega  ) 

Substitution  on  matches  E  is  defined  as: 

Rules: 

[^;^](-)  =  - 

(^SBXiEmpty  ) 

[9-,  g]{E  \  c  ^  M)  =  [9-,  £»](")  (c  ^  [9-,  q]{M)) 

(SBX\) 

Note  that  the  case  SBVar  is  well-defined  because  every  variable  name  which  the  substitution 
process  might  encounter  is  defined  in  either  9  or  q.  The  rules  SBLam  and  SBLet  look  peculiar 
because  of  the  extension  of  the  substitution  9]  q  by  x/x.  The  insight  behind  this  construction  is 
that  we  require  a  substitution  to  be  defined  on  all  free  variables  of  a  term,  x  may  occur  free  in 
M  in  the  case  of  SBLam  and  it  may  also  occur  free  in  M2  in  rule  SBLet.  Writing  xjx  implicitly 
stands  for  introducing  a  new  variable  name  x  and  replacing  it  for  x.  We  use  this  notational  trick 
throughout  this  report. 

A  crucial  rule  in  our  system  is  SB  Box.  Since  a  boxed  term  is  closed  it  can  only  contain  variables 
representing  closed  objects  and  not  variables  representing  arbitrary  objects.  This  is  easily  verified 
by  inversion  of  the  T pBox  rule  because  we  assume  the  subject  of  substitution  always  to  be  well- 
typed.  This  means,  that  q  will  not  be  used  during  the  substitution  process.  Hence  we  need  not 
consider  it  when  traversing  over  a  box. 

Our  imposed  requirement  that  substitutions  must  substitute  all  free  variables  in  an  object  has 
further  effects.  It  makes  it  also  necessary  to  explicitly  introduce  the  notion  of  identity  substitutions 
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because  the  empty  substitution  plays  the  role  of  an  identity  substitution  only  when  applied  to  closed 
terms.  We  hence  define  identity  with  respect  to  a  context. 

Definition  6.15  (Identity  snbstitntion:)  Let  T  be  a  context. 

Rnles: 

id.  =  •  (IdEmpty^ 

idr,a;:y4  =  idpi  2;/®  (IdNonEmpty^ 

It  is  not  difficult  to  show  that  the  identity  substitution  idA;idr  is  well-typed  and  hence  satisfies 

Lemma  6.16  (Well-typedness  of  identity  snbstitntion) 

A;  L  h  (Ma;  idr)  :  (A;  L) 


Proof:  omitted.  □ 

Two  different  notions  of  substitution  have  been  used  in  the  presentation  of  our  system  so  far. 
For  the  evaluation  rules  EvApp  and  EvLet,  we  used  a  substitution  [Mi/a;](M2)  to  express  that  all 
occurrences  of  x  must  be  replaced  in  M2  by  Mi.  On  the  other  hand  we  introduced  the  notion  (0;  g) 
in  the  most  recent  discussion.  It  is  necessary  to  examine  how  those  both  notions  of  substititution 
fit  together. 

Lemma  6.17  (Property  of  snbstitntions) 

1.  [M'/x]{[0-,  g,x/x]{M))  =  [6»;  g,  M'/x]{M) 

2.  [M'/x]{[0,x/x-,  g]{M))  =  [0,  M'/x]  g]{M) 


Proof:  omitted.  □ 

Weakening  is  also  admissible  for  the  typing  judgment  of  substitutions.  Without  proof  we  just 
state  the  result: 

Lemma  6.18  (Weakening  on  typing  snbstitntion  relation) 

1.  If  A';r' h  {0;g)  :  (A;  L)  and  A"  >  A'  then  A";r' h  {0;  g)  :  (A;  L) 

A  If  A';r' h  {0;g)  :  (A;  L)  and  T"  >  T'  then  A';r"  h  {0;  g)  :  (A;  L) 


Proof:  omitted.  □ 

By  induction  we  can  prove  that  restricting  a  well-typed  substitution  (0;  g)  to  (0;  •)  is  also  well- 
typed.  If  the  domain  of  (0;  g)  is  (A;  L),  the  domain  of  the  restricted  substitution  is  clearly  (A;  •). 
Less  clear  is  that  we  can  also  restrict  the  context  A';  L'  of  the  original  well-typed  substitution  to 
A';  •  because  g  cannot  depend  on  any  variables  from  Lb 
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Lemma  6.19  (Modal  substitution  restriction) 

//A';L'h(0;^)  :  (A;L)  then  A'-,  ■  ^  {0-,  ■)  :  (A;-) 

Proof:  See  appendix  B.  □ 

Another  important  observation  is  that  if  a  variable  name  defined  in  the  context  A;  L  is  en¬ 
countered  while  substituting,  we  can  determine  the  type  and  the  new  context  of  the  substituted 
object.  In  the  case  the  encountered  variable  name  is  defined  in  the  modal  context,  we  can  restrict 
the  second  component  of  the  context  to  •. 

Lemma  6.20  (Properties  of  typing  relation  for  substitutions) 

1.  If  A  =  (Ai,  X  •.  A)\J  A2  and  A';  L'  h  (0;  g)  :  (A;  L)  then  0{x)  =  M  and  A';  ■  \-  M  :  A 

2.  //"L  =  (Li,  a;  :  A)  U  L2  and  A';  L'  h  (0;  g)  :  (A;  L)  then  g[x)  =  M  and  A';  V  \-  M  :  A 

Proof:  See  appendix  B.  □ 

These  preparatory  results  lead  us  to  a  general  substitution  lemma  for  the  typing  relation.  If  an 
object  M  is  well-typed  in  a  context  for  which  a  substitution  is  well-defined  then  its  application  to 

M  yields  an  object  of  the  same  type  as  M  in  the  context  of  the  substitution.  Since  objects  are  also 

defined  in  terms  of  term  replacements  and  matches  we  must  extend  the  result  to  both  construction 
as  we  show  be  induction  over  the  typing  relations. 

Lemma  6.21  (Substitution  lemma  for  typing  relation) 

Let  A']  L'  h  (0;  g)  :  (A;  L),  then  the  following  holds: 

1.  If  A-V'^  M A  then  A'-V' '^[0-,q\{M)  A 

2.  //  A;  L  h  “  :  (5  ^  A)  (S')  then  A';  L'  h  [9-  g]  (S)  :  {B  ^  A)  (S') 

3.  If  AA  h  Q  :  (cj)  (S')  then  A';  L'  h  [6;  g]  (Q)  :  (cj)  (S') 

Proof:  See  appendix  B.  □ 

As  corollary  we  can  apply  the  substitution  for  typing  relation  to  the  identity  substitution  as 
inferred  by  Lemma  6.16. 

Corollary  6.22  (Well-typedness  of  application  of  identity  substitution) 

//A;L  h  M  :  A  then  A;L  h  [idA;idr](M)  :  A 

Proof:  omitted.  □ 

It  follows  now  by  a  short  inductive  argument  that  the  identity  substitution  behaves  as  expected. 
Applied  to  an  object  M  it  returns  M. 

Lemma  6.23  (Identity  substitution)  Let  A,  T  contexts. 

//A;L  h  M  :  A  then  [idA;idr](M)  =  M 


Proof:  omitted. 


□ 
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6.4  Atomic  and  canonical  forms 

For  atomic  and  canonical  form  judgments  there  is  also  a  weakening  result.  The  proof  goes  by 
mutual  induction  over  the  derivation  of  atomic  and  canonical  forms.  It  is  straightforward,  and  we 
omit  it  here. 

Lemma  6.24  (Weakening  for  atomic/canonical  forms) 

1.  //T  h  U  ;  A  and  T'  >  T  then  T'  h  U  f  A 

2.  //  T  h  U  fl  A  and  T'  >  T  then  T'  h  U  fl  A 


Proof:  omitted.  □ 

A  slightly  more  complicated  property  of  atomic  and  canonical  forms  is  that  the  type  of  an 
object  can  be  directly  inferred  from  the  judgment.  With  an  easy  proof  by  mutual  induction  over 

the  derivation  of  the  canonical  and  the  atomic  form  judgment  we  prove  the  following  lemma: 

Lemma  6.25  (Type  preservation  of  atomic  and  canonical  types) 

1.  If'^hV  iB  then  yT  h  U  :  5 
A  //T  h  U  fr  5  then  yT  h  U  :  5 


Proof:  See  appendix  B.  □ 

6.5  Evaluation 

For  the  evaluation  judgments  there  exists  also  a  weakening  result.  The  proof  goes  by  induction 
over  the  evaluation  derivation.  It  is  so  easy  that  we  omit  it  here. 

Lemma  6.26  (Weakening  for  atomic/canonical  forms) 

//  T  h  M  U  :  A  and  T'  >  T  then  T'  h  M  U  :  A 


Proof:  omitted.  □ 

6.6  Subordination  of  types 

In  this  subsection  we  discuss  basic  properties  which  are  related  to  the  subordination  of  types. 
Recall  that  the  subordination  relation  accounts  for  all  dependencies  which  are  introduced  by  the 
signature  or  by  the  subject  type  of  iteration  or  case. 

The  first  property  is  needed  in  some  of  the  lemmas  preceeding  the  canonical  form  theorem. 
We  require  that  the  target  types  are  always  of  atomic  type.  The  proof  is  easy  because  intuitively 
the  target  type  is  defined  to  be  the  last  atomic  type  occurring  in  an  arbitrarily  formed  pure  type. 
Therefore  we  do  not  feel  too  guilty  in  omitting  the  proof. 
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Lemma  6.27  (Properties  of  target  types) 

t[B)  =  a 

for  some  atomic  type  a. 

Proof:  omitted.  □ 

We  will  also  need  that  a  target  type  of  some  type  B  does  not  change  regardless  if  B  is  embedded 
in  some  abstraction  closure.  The  proof  goes  by  induction  over  the  context  defining  the  abstraction 
closure. 

Lemma  6.28  (Goal  types  and  abstraction  closnre  types) 

r(n{T}.5)  =  t{B) 


Proof:  See  appendix  B.  □ 

Before  we  start  with  the  discussion  of  the  subordination  we  further  refine  the  notion  of  subor¬ 
dination.  So  far  ai  «2  expresses  that  objects  of  type  ai  can  be  used  to  construct  objects  of 

type  02-  In  Section  4  we  have  seen  that  the  subordination  relation  is  not  reflexive.  The  simplest 
examples  are  the  Booleans  from  Example  4.6.  bool  is  not  recursive,  hence  it  doesn’t  hold  that 
bool  bool.  A  closer  look  reveals,  that  the  subordination  relation  for  bool  is  empty.  But  it  is 

definitely  not  the  case  that  bool  is.  To  account  for  this  observation  we  extend  the  notion  of  subor¬ 
dination  relation.  If  a  bool  holds,  then  objects  of  type  a  can  occur  as  objects  or  subobjects 

of  objects  of  type  bool.  We  call  this  the  weak  subordination  relation. 

Definition  6.29  (Weak  snbordination  relation)  Let  B  be  a  pure  type. 


a2  ai  (*2  or  ai  =  a2 


In  the  remainder  of  this  section  we  characterize  and  discuss  a  few  major  properties  of  type 
subordination  which  will  prove  very  useful  when  we  tackle  the  proof  of  the  canonical  form  theorem. 

First  we  want  to  point  out  that  there  is  a  close  relationship  between  source  types  of  a  constructor 
type,  and  the  subordination  relation:  This  relationship  can  be  characterized  by  the  following 
observation:  Every  source  type  of  the  constructor  type  is  trivially  subordinated  by  the  goal  type  of 
the  constructor.  A  second  important  property  is  a  transitivity  property  of  the  weak  subordination 
relation:  If  a  type  ai  is  subordinated  by  a  type  a2  and  a2  is  weakly  subordinated  by  a  type  a^,  then 
ai  is  automatically  subordinated  by  a^.  Note  that  this  formulation  of  the  lemma  is  slightly  more 
stronger  than  just  assuming  a2  to  be  subordinated  by  a^.  In  this  case  the  result  follows  trivially 
from  the  definition  4.24  of  subordination. 

Lemma  6.30  (Properties  of  subordination)  Let  c  :  C  £  T,,  B  a  pure  type. 

1.  If  a  £  Source{C)  then  a  Mb  t{C) 

2.  If  ai  Mb  (i2  and  a2  '^b  then  ai  Mb  «3 
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Proof:  See  appendix  B.  □ 

Variables  introduced  by  a  context  can  be  interpreted  as  a  set  of  pseudo  constructors  or  pa¬ 
rameters  as  we  pointed  out  in  Section  4.  Since  pseudo  constructors  are  variable  names  which  are 
represented  in  a  context,  we  must  extend  the  notion  subordination  to  contexts:  For  all  pseudo 
constructors  types  B'  if  the  target  type  t{B')  subordinates  a,  all  source  types  of  B'  must  also 
subordinate  a. 

Definition  6.31  (Snbordination  on  contexts)  Let  a  be  an  atomic  type. 


■  <B  a 

T,  a;  :  <b  a  44  T  <b  ®  md  if  t{B')  Mb  ®  then  forall  y  G  Source[B')  :  y  Mb  ® 

It  will  become  clear  during  the  proof  of  the  canonical  form  theorem,  how  context  subordination 
is  used.  Here  is  what  we  need  for  the  proof:  If  a  variable  x  of  type  B'  is  defined  in  a  context  T 
and  T  Mb  t{B),  then  all  source  types  of  type  B'  are  automatically  subordinated  by  the  goal  type 
of  of  B.  The  proof  is  an  easy  induction  over  the  context  T. 

Lemma  6.32  (Properties  of  context  snbordination)  Let  B  be  a  pure  type. 

//  T  =  (Ti,  X  :  B')  U  T2  and  T  Mb  t{B)  then  t{B')  Mb  t{B)  implies  that  forall  y  G  Source{B') : 
y  Mb  t{B) 


Proof:  See  appendix  B.  □ 

The  next  result  has  to  do  with  pseudo  constructor  types.  By  easy  induction  it  can  be  shown, 
that  if  B'  is  a  pseudo  constructor  introduced  by  a  type  B,  then  all  source  types  of  B'  must  be  also 
source  types  of  B.  This  is  clear,  because  every  pseudo  constructor  type  corresponds  to  a  domain 
type  of  B  and  B  must  be  a  function  type.  Every  source  type  of  B'  is  hence  a  source  type  of  B. 
We  omit  the  proof. 

Lemma  6.33  (Snbset  property  of  PCT) 

Forall  B'  G  PCT[B)  the  following  holds: 

Source[B')  C  Source{B) 


Proof:  omitted.  □ 

Pseudo  constructor  types  have  also  another  property.  This  property  has  to  do  with  dynamic 
type  subordination:  If  a  pseudo  constructor  type  B'  of  a  type  B  is  given,  and  a  is  a  type  which  is 
immediately  subordinated  by  the  target  type  of  B' ,  then  we  have  a  <Ib  t{B'),  because  every  source 
type  of  B'  is  also  a  source  type  of  B.  The  proof  is  done  by  induction  over  type  B. 

Lemma  6.34  (Property  of  dynamic  typing) 
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If  B'  £  PCT(B)  then  a  <b’  t{B')  implies  a  <\b  t{B') 


Proof:  See  appendix  B.  □ 

The  last  three  lemmas  in  this  subsection  answer  an  important  question  which  will  be  raised 
in  the  proof  of  the  canonical  form  theorem.  Without  going  into  details  the  property  we  need  is 
as  follows.  Assume  B,C  are  two  pure  types.  We  must  show  that  if  the  target  type  of  B  is  not 
subordinated  by  the  target  type  of  C  then  {uj){C)  =  C.  We  will  try  to  shed  some  light  on  this 
problem.  While  traversing  a  subject  of  type  B  iteration  may  encounter  constants  of  type  C  whose 
target  type  does  not  occur  in  the  inductive  datatype  I{T,-,B)  (see  Example  4.8,  Example  4.5). 
This  information  can  already  be  extracted  from  the  subordination  relation.  If  a  constant  c  of  type 
C  is  encountered  during  the  traversal,  t{C)  t{B)  must  hold  -  as  we  prove  below.  If  the 

reverse  {t{B)  '^(C'))  a-lso  holds,  t{C)  must  an  element  in  I{T,-,B)  by  definition.  This  might 

not  always  be  the  case.  In  Example  4.8  nat  ^  X(S;db),  in  example  4.5  i  ^  X(S;o).  Constants 
with  a  target  type  not  being  an  element  of  the  inductive  type  remain  untouched  by  the  process  of 
elimination.  Is  the  result  of  the  elimination  process  still  well-typed?  We  must  require 

that  LJ  applied  to  a  constructor  type  C  with  target  type  outside  of  X(S;  B)  is  mapped  to  C. 

Thus,  more  formally,  we  must  show  that  if  t{C)  ^  Y(Y;  B)  then  {uj){C)  =  C.  We  split  this  proof 
into  two  parts.  The  first  part  we  present  here,  that  is  we  show  that  if  t{B)  is  not  subordinated  by 
t{C)  the  claim  is  fulfilled.  The  second  part  will  be  mainly  discussed  in  the  proof  of  the  canonical 
form  theorem  but  we  show  an  auxiliary  result  in  this  section.  The  idea  behind  the  second  part  of 
the  proof  is  to  show  that  the  case  “t(C)  is  not  subordinated  by  t{B)”  cannot  occur.  For  the  first 
part  of  the  proof  we  show  two  lemmas. 

1.  If  t[B)  -^b  t{C)  then  Source(C)  nX(S;iI)  =  0 

2.  If  Source(C)  fl  X(S;  _B)  =  0  and  t{C)  ^  X(S;  B)  then  (cj)(C)  =  C 

If  the  target  type  of  B  is  not  subordinated,  then  clearly  none  of  its  (atomic)  source  types  is  a 
member  of  the  the  inductive  datatype.  If  there  would  actually  be  one  atomic  type,  being  an 
element  of  the  inductive  datatype  and  a  source  type  of  C,  then  this  atomic  source  type  would 
subordinate  the  target  type  of  B  and  hence  our  assumption  would  be  violated.  We  show  this  claim 
directly. 

Lemma  6.35  (Independence) 

IfT[B)  -^B  t{C)  then  Source{C)  nX(S;iI)  =  0 


Proof:  See  appendix  B.  □ 

The  second  property  ensures  that  if  there  isn’t  any  source  type  of  C  in  the  domain  of  a  type 
replacement,  the  type  replacement  does  not  have  any  effect  on  C .  We  show  this  claim  by  induction 
over  the  constructor  type. 

Lemma  6.36  (Properties  of  Join)  Let  c  :  C  G  S,  a  arbitrary  and  \-  u  ■.  a 

If  Source{C)  fl  a  =  0  and  t[C)  ^  a  then  (a:)(C)  =  C 
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Proof:  See  appendix  B.  □ 

The  auxiliary  lemma  for  the  second  part  states,  that  if  the  target  type  of  a  constructor  type 
C  does  not  occur  in  the  inductive  datatype  but  the  target  type  of  C  is  either  equal  or 

subordinated  by  the  target  type  of  B,  then  it  is  impossible  that  t{B)  is  subordinated  by  t{C). 

Lemma  6.37  (Properties  of  subordination) 

If  t{C)  ^  X(S;  B)  and  t[C)  t{B)  then  t[B)  -^b  t{C) 


Proof:  See  appendix  B.  □ 

This  concludes  the  section  of  the  basic  preliminary  results.  In  the  next  section  we  will  address 
the  problem  of  the  existence  of  canonical  forms  for  typed  objects. 
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7  Canonical  form  theorem 

The  aim  of  this  section  is  to  prove  the  canonical  form  property  of  the  modal  A-calculus.  The 
main  result  will  be  that  every  object  of  pure  type  in  a  pure  context  possesses  a  canonical  form. 
In  our  notation  this  property  is  expressed  as:  if  •;  T  h  M  :  H  then  T  h  M  fl  E  :  B.  This  result 
implies  the  conservative  extension  property  of  A°  which  we  will  show  in  section  9.  We  prove  this 
by  Tait’s  method,  often  called  an  argument  by  logical  relations  or  reducibility  candidates.  In  such 
an  argument  we  construct  an  interpretation  of  types  as  a  relation  between  objects,  in  our  case  a 
unary  relation.  Assume  we  are  trying  to  establish  a  property  P  of  all  well-typed  objects  of  type 
B.  In  our  case  P  holds  if  there  is  an  object  V  s.t.  T  h  M  fl  E  :  B.  The  proof  using  logical  relation 
proceeds  then  in  two  steps.  In  the  first  step  the  object  which  should  satisfy  P  must  be  proven  to 
be  a  member  in  the  logical  relation.  Finally  we  prove  by  induction  that  for  every  member  in  the 
logical  relation  the  property  P  holds. 

Before  we  go  into  details  how  the  logical  relation  is  defined,  we  derive  some  useful  lemmas, 
which  are  necessary  for  the  argument.  Some  of  the  following  proofs  rely  on  the  fact,  that  canonical 
and  atomic  forms  evaluate  to  themselves.  This  fact,  even  though  it  might  seem  trivial,  requires  a 
mutual  inductive  argument:  To  prove  that  atomic  and  canonical  forms  evaluate  to  themselves  we 
require  that  the  notion  of  evaluation  implies  somehow  the  notion  of  evaluation  to  a  canonical  form: 
If  M  evaluates  to  E  and  E  happens  to  be  canonical,  then  M  evaluates  canonically  to  E.  These 
properties  are  expressed  by  the  following 

Lemma  7.1  (Self  evaluation) 

1.  //T  h  M  E  :  H  and  T  h  E  fr  H  then  T  h  M  ff  E  :  H 

//  T  h  E  fr  H  then  T  h  E  E  :  H 

3.  //  T  h  E  ;  H  then  T  h  E  E  :  H 


Proof:  See  appendix  C.  □ 

Another  result  which  seems  intuitively  clear  but  must  be  proven  is  the  following:  by  definition 
objects  evaluate  to  other  objects  under  the  judgment  T  h  M  j)  E  B.  Since  this  is  the  judgment 
for  canonical  evaluation,  we  expect  E  to  be  canonical.  That  this  holds  is  expressed  by  the  next 
lemma.  Contrary  to  the  intuition,  the  proof  is  not  straightforward  since  the  notion  of  conversion  to 
canonical  forms  depend  on  the  evaluation  judgment.  On  the  other  hand,  it  is  also  not  very  sensible 
to  try  to  prove  that  for  every  object  M,  T  h  M  E  :  A  implies  that  E  is  a  canonical  form.  For 
example,  consider  the  signature  from  example  2.5:  It  is  easy  to  see  that 

■  h  Ax  :  exp.  (Ay :  exp.  y)  z  ^  Ax  :  exp.  (Ay :  exp.  y)  z  :  exp  — ?■  exp 

but  it  is  also  clear,  that  Ax  :exp.  (Ay :  exp.  y)  z  is  not  canonical  because  the  body  of  the  A-expression 
can  be  /3-reduced.  However,  it  holds  when  restricted  to  atomic  types: 

Lemma  7.2  (Property  of  evaluation  results) 


1.  //T  h  M  fr  E  :  H  then  T  h  E  ff  H 
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2.  //  T  h  M  E  :  a  then  T  h  E  a 


Proof:  See  appendix  C.  □ 

Consider  example  2.5  again.  The  constant  app  is  not  a  canonical  form  either.  The  reason  is 
that  canonical  forms  are  actually  objects  in  j^-long  /3-normal  form,  app  can  be  easily  transformed 
into  such  a  form:  \x  :exp.  Ay:  exp.  app  x  y.  According  to  lemma  7.2  (2)  the  result  of  an  evaluation 
is  canonical  only  if  it  is  an  object  of  atomic  type.  Nothing  is  said  about  functions.  Fortunately  we 
can  prove  that  every  object  M  evaluating  to  an  atomic  form  E  necessarily  evaluates  to  a  canonical 
form  Eh 

Lemma  7.3  (Evaluation  to  atomic  forms  implies  evaluation  to  canonical  forms) 

//ThM-^E:H  and^thV  iB  then  T  h  M  fr  E'  :  H  /or  a  E' 


Proof:  See  appendix  C.  □ 

These  three  lemmas  are  necessary  for  some  of  the  proofs  below.  We  address  now  the  definition 
of  the  logical  relation.  Recall  that  the  logical  relation  is  a  set  of  objects  satisfying  a  certain  property 
specified  by  a  type  A  and  a  context  T.  For  our  system  we  introduce  two  logical  relations.  The 
logical  relations  of  objects  evaluating  to  some  other  object,  and  the  logical  relation  of  values.  For 
the  first  we  write  T  h  M  G  [A]  to  express  that  object  M  satisfies  the  relation  [A]  in  context  T. 
Similary  for  the  logical  relation  of  values.  We  write  T  h  E  G  |A|  meaning  that  value  E  satisfies 
the  relation  |A|  in  context  T.  Both  relations  are  defined  by  structural  induction  over  A. 

Definition  7.4  (Logical  relation) 

T  h  M  G  [A]  •;  T  h  M  :  A  and  T  h  M  -G  E  :  A  and  T  h  E  G  |A| 

T  h  E  G  |A| 

Case:  A  =  a  and  T  h  E  ff  a 
Case:  A  =  Ai  — ?■  A2  and  either 

Case:  V  =  Xx:Ai.M  and  for  all  T'  >  T;  T'  h  E'  G  |Ai|  ^  T'  h  [E7a;](M)  G  [A2] 
or 

Case:  T  h  E  /  Ai  ^  A2  and  for  all  T'  >  T;  T'  h  E'  ff  Ai  ^  T'  h  E  E'  G  IA2I 
Case:  A  =  Ai  X  A2  and  V  =  (Mi,  M2)  and  T  h  Mi  G  [Ai]  and  T  h  M2  G  [A2] 

Case:  A  =  DA';  E  =  box  M  and  •  h  M  G  [A'] 

Note  that  the  first  logical  relation  requires  its  elements  to  be  well-typed.  This  is  necessary 
because  our  argument  requires  that  all  objects  in  the  relation  are  well-typed  as  we  will  see  in 
Lemma  7.47.  T  h  M  G  [A]  must  imply  that  M  has  that  type  A  in  qT.  In  lemma  7.19  we  show 
that  this  property  propagates  to  the  logical  relation  of  values. 
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Objects  were  defined  in  terms  of  term  replacements  and  matches  (see  Section  4,  Section  5). 
Later  on  in  this  section  we  will  need  to  show  that  every  object  defined  in  a  term  replacement  or 
match  is  a  member  of  a  logical  relation.  To  make  our  presentation  of  this  circumstance  cleaner 
and  easier  to  understand  we  will  introduce  the  notion  of  logical  relations  for  term  replacements. 
A  term  replacement  is  an  element  of  the  logical  relation  defined  by  a  signature  S  and  a  context 
representing  pseudo  constructors  T,  if  every  object  associated  with  a  (pseudo)  constructor  satisfies 
the  logical  relation  defined  by  the  type  which  results  from  applying  the  type  replacement  lj  — 
defined  by  the  iterator  object  —  to  the  (pseudo)  constructor  type. 

Definition  7.5  (Logical  relation  for  term  replacements)  T  +  T  h  G  [(a;)(S;T)] 

Case:  T/"  T  =  •  and  S  =  •  then  Q  =  • 

Case:  T/"  T  =  •  and  S  =  S',  c  :  B  then  |  c  i— t-  M  and  T  h  M  G  [(^^)(.B)]  and  T  +  T  h  G 

•)! 

Case:  //  T  =  T',  x  :  B  then  Q  =  Q'  \  x  u  and  T  h  m  G  [(t^)(.B)]  and  T  +  T  h  G  [(a;)(S;  T')] 

The  context  defined  for  the  logical  relation  of  term  replacements  is  split  into  two  parts  T;T.  T 
represents  the  context  of  variables  which  might  occur  free  in  the  objects  associated  with  constructors 
(note:  not  pseudo  constructors),  and  T  stands  for  the  context  of  newly  defined  variables  which 
rename  the  original  pseudo  constructors.  We  must  keep  both  contexts  separately,  because  to  prove 
lemma  7.46  and  lemma  7.43  we  define  a  substitution,  which  acts  as  the  identity  on  all  variables 
defined  in  T,  but  not  necessarily  on  T.  Not  distinguishing  between  both  contexts  of  variables  would 
mean  to  discard  this  information  —  which  we  will  need. 

We  have  seen  that  every  object  in  the  logical  relation  [A]  is  well-typed.  This  property  propa¬ 
gates  to  term  replacements.  With  an  easy  inductive  proof  we  can  show  that 

Lemma  7.6  (Type  preservation  for  term  replacements)  ^  T  -|-  •  h  G  [(a;)(S;  )]  then 

(4(S) 

Proof:  See  appendix  C.  □ 

Similarly  we  define  the  logical  relation  for  matches.  A  match  is  an  element  of  the  logical 
relation  defined  by  a  signature  S  and  a  context  representing  pseudo  constructors  T,  if  every  object 
associated  with  a  (pseudo)  constructor  satisfies  the  logical  relation  defined  by  the  case  type  of  the 
(pseudo)  constructor  type.  Because  of  the  same  reasons  as  for  the  term  replacement  we  define  the 
logical  relation  using  two  contexts:  T;T.  Here  is  the  definition. 

Definition  7.7  (Logical  relation  for  matches)  T  -|-  T  h  E  G  [(H  A)(S;  T)] 

Case:  T/"  T  =  •  and  S  =  •  then  E  =  • 

Case:  /f  T  =  •  and  S  =  S',  c  :  B'  then  S  =  S'  I  c  M  and  T  h  M  G  (B,  A,  B')}  and 
T  +  ThS'  G  A)(S';-)] 

Case:  //  T  =  T',  x  :  B'  then  E  =  E'  \  x  ^  u  and  T  h  m  G  [C  {B,  A,  H')]  and  T  -|-  T  h  S'  G 
A)(S;T')] 
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We  have  seen  that  every  object  in  the  logical  relation  [A]  is  well-typed  and  so  is  every  term 
replacement.  As  we  might  expect,  this  property  can  also  be  shown  for  matches.  By  simple  induction 
we  obtain: 

Lemma  7.8  (Type  preservation  for  matches)  //"  T  -|-  •  h  E  G  [(H  A)(S;  •)]  then  •;  T  h  E  : 

Proof:  See  appendix  C.  □ 

We  start  now  with  the  discussion  of  the  logical  relation.  The  next  few  lemmas  show  some  useful 
properties  implied  by  this  definition,  all  necessary  to  eventually  prove  the  canonical  form  theorem. 
The  first  lemma  is  a  standard  weakening  lemma  for  logical  relations: 

Lemma  7.9  (Weakening  for  logical  relations) 

1.  //  T  h  M  G  [A]  and  T'  >  T  then  T'  h  M  G  [A] 

2.  //  T  h  E  G  I  A|  and  T'  >  T  then  T'  h  E  G  |  A| 


Proof:  See  appendix  C.  □ 

We  must  extend  this  result  to  logical  relations  for  term  replacements.  Recall  that  the  logical 
relation  for  term  replacements  is  defined  using  two  separate  contexts  T;T.  For  our  purposes  it  is 
enough  to  prove  weakening  as  an  extension  of  context  T. 

Lemma  7.10  (Weakening  for  logical  relations  for  replacement) 

//T  +  T  h  12  G  [(t^)(E;  T)]  and  T'  >  T  then  T  +  T'  h  12  G  [(t^)(E;  T)] 


Proof:  See  appendix  C.  □ 

The  logical  relation  for  matches  was  defined  analogously  to  the  logical  relation  of  term  replace¬ 
ments.  As  expected  the  formulation  of  the  weakening  property  is  similar  to  the  previous  one. 

Lemma  7.11  (Weakening  for  logical  relations  for  matches) 

//T  +  T  h  "  G  1{B  ^  ^)(S;  ^)]  and  T'  >  T  then  T  +  T'  h  E  G  [(H  ^  ^)(S;  ^)] 


Proof:  See  appendix  C.  □ 

The  logical  relations  of  term  replacements  and  matches  play  a  very  important  role  when  we 
discuss  the  elimination  process.  Recall  from  Definition  4.28  that  this  process  traverses  the  structure 
of  the  subject  of  iteration.  Eventually  constants  or  variables  will  be  encountered.  We  will  see  in 
the  proof  of  Lemma  7.43  that  the  term  replacement  12  is  then  an  element  of  the  corresponding 
logical  relation.  The  problem  reduces  to  looking  up  the  encountered  constant  or  variable  in  12.  The 
attentive  reader  has  probably  already  recognized  that  three  cases  might  occur. 


7  CANONICAL  FORM  THEOREM 


43 


•  A  constructor  has  been  encountered  which  is  defined  by  0. 

•  A  constructor  has  been  encountered  which  has  not  been  defined  by  0. 

•  A  pseudo  constructor  has  been  encountered  which  must  be  defined  in  0. 

The  third  case  speaks  of  “must  be  defined  in  0”  because  the  subject  of  iteration  was  closed,  every 
traversed  A-abstraction  has  extended  0  by  an  appropriate  variable  renaming.  We  discuss  now  each 
of  those  three  cases  by  showing  three  lemmas. 

If  c  :  H  is  the  encountered  constructor  which  happens  to  be  defined  in  S,  the  domain  of  the 
logical  relation  for  replacement,  then  (cj;  14)  (c)  is  of  correct  type  and  in  the  logical  relation 

Lemma  7.12  (Access  to  logical  relations  for  replacements  I)  If  T,  =  T,i,  c  :  B  L)  T,2  and 

T  +  T  h  14  G  [(c^)(S;  T)]  then  T  h  M  G  [(c^)(5)]  and  M  =  {cj;  14)  (c) 

Proof:  See  appendix  C.  □ 

In  the  case  that  c  :  B  is  not  defined  in  this  signature,  then  14(c)  is  undefined. 

Lemma  7.13  (Access  to  logical  relations  for  replacements  II)  If  S(c)  is  undefined  and 
T  +  T  h  14  G  [(a;)(S;  T)]  then  14(c)  is  undefined 

Proof:  See  appendix  C.  □ 

In  the  case  that  the  traversal  of  the  iteration  encountered  a  pseudo  constructor  x  :  B  defined  in  T, 
X  is  being  renamed  by  the  term  replacement  to  a  new  variable  name  u,  which  happens  to  be  an 
element  of  [(t<^)(7^)]. 

Lemma  7.14  (Access  to  logical  relations  for  replacements  III)  If'^  =  Tr,®  :  HUT2  and 
T  +  T  h  14  G  [(a;)(S;T)]  then  T  h  m  G  [(t^)(4^)]  and  T  =  Tr,'^  :  (^)(-6)  U  T2  and  u  = 
(aj;14)(a;) 

Proof:  See  appendix  C.  □ 

We  have  a  very  similar  situation  for  matches.  Recall  from  Definition  5.15  that  the  process  of 

selection  traverses  the  subject  of  case  to  find  its  head  constructor.  In  the  proof  of  Lemma  7.46  we 
will  have  that  E  is  in  the  logical  relation  of  matches.  Thus  we  must  look  up  the  head  constructor 
in  E.  Contrary  to  the  term  replacement  only  two  cases  can  occur,  because  the  case  object  must 
have  been  well-typed. 

•  A  constructor  is  the  head  constructor  which  is  defined  in  E 

•  A  pseudo  constructor  is  the  head  constructor  which  is  defined  in  E. 

We  discuss  now  each  of  the  cases  by  showing  two  lemmas.  If  c  :  is  the  head  constructor,  it  is 

accounted  for  in  E  and  {B  A;E;T}(c)  is  of  correct  type  and  an  element  in  the  logical  relation 
IC{B,A,B% 

Lemma  7.15  (Access  to  logical  relations  for  matches  I)  IfT,  =  Si,c  :  B'[JT,2  andT-l-T  h 
E  G  A)(S;T)]  then  T  h  M  G  [C  {B,A,B')}  and  M  =  {B  ^  A;“;T'}(c)  for  an 

arbitrary  Tb 
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Proof:  See  appendix  C.  □ 

On  the  other  hand,  x  ■.  B'  is  the  head  constructor,  it  is  also  accounted  for  in  E  and  {B 
A;  E;  T}(a;)  is  of  correct  type  and  an  element  in  the  logical  relation  \C  {B,  A,  -B')]. 

Lemma  7.16  (Access  to  logical  relations  for  matches  II)  If  =  Ti,  a;  :  B'  U  '(’2  md  T  + 

T  h  “  G  [(B  ^  A)(S;  T)]  then  T  h  m  G  [C  (B,  A,  B')]  and  T  =  §1,  m  :  C  (B,  A,  B')  U  §2  and 
u  =  {B  A;  E;  T'}(a;)  for  an  arbitrary  T'. 

Proof:  See  appendix  C.  □ 

The  principal  lemmas  we  need  for  the  proof  of  the  canonical  form  theorem  are  the  following. 
Every  well-typed  object  is  an  element  of  the  logical  relation  defined  by  its  type,  and  every  element 
of  a  logical  relation  has  a  canonical  form.  More  formally: 

1.  If  •;  T  h  M  :  A  then  T  h  M  G  [A] 

2.  If  T  h  M  G  [B]  then  T  h  M  ff  E  :  B 

In  this  presentation  we  first  show  the  second  lemma.  To  prove  it,  we  must  generalize  its 
formulation.  The  proof  depends  on  the  fact  that  atomic  objects  of  pure  types  B  are  always  in  the 
logical  relation  of  values  |B|.  By  mutual  induction  we  can  then  show  the  following  lemma: 

Lemma  7.17  (Logical  relations  and  canonical  forms) 

1.  //  T  h  M  G  [B]  then  T  h  M  ff  E  :  B 
A  //T  h  E  ;  B  then  T  h  E  G  |B| 


Proof:  See  appendix  C.  □ 

In  Section  3  we  introduced  arbitrary  types  opposed  to  pure  types  from  Section  2.  We  show  now 
by  an  easy  inductive  argument  that  if  an  object  is  atomic  of  some  type  A  in  a  pure  context,  then 
A  must  be  necessarily  pure. 

Lemma  7.18  (Types  of  atomic  objects  are  pnre) 

//’  T  h  E  j,  A  then  A  is  pure. 


Proof:  See  appendix  C.  □ 

This  lemma  is  necessary  for  the  proof  of  the  well-typedness  of  objects  in  the  logical  relation  of 
values,  as  briefly  discussed  above.  We  have  seen  that  every  object  in  [A]  is  of  type  A.  We  show 
now  that  every  object  in  relation  |A|  is  also  well-typed. 

Lemma  7.19  (Well-typedness  of  logical  relations) 
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//T  h  E  G  |A|  then  -  T  h  E  :  A 


Proof:  See  appendix  C.  □ 

But  this  is  not  the  only  property  objects  satisfying  relation  |A|  enjoy.  Based  on  the  self  evalu¬ 
ation  lemma  7.1,  it  is  now  easy  to  show  that  every  object  in  |A|  evaluates  to  itself.  The  proof  goes 
by  structural  induction  over  type  A. 

Lemma  7.20  (Logical  relations:  Self  evaluation  of  values) 

//T  h  E  G  |A|  then  T  h  E  -G  E  :  A 


Proof:  See  appendix  C.  □ 

A  direct  consequence  of  these  two  lemmas  is  that  every  object  in  |A|  is  also  an  object  in  [A]. 
This  is  a  result  which  we  use  quite  often  in  proofs  of  the  subsequent  lemmas.  We  state  this  result 
in  form  of  a  lemma: 

Lemma  7.21  (Logical  relation  subsumption) 

//T  h  E  G  |A|  then  T  h  E  G  [A] 


Proof:  See  appendix  C.  □ 

Recall  that  all  the  lemmas  which  are  presented  here  serve  the  purpose  to  prove  the  first  of  both 
lemmas  necessary  for  the  proof  of  the  canonical  form  theorem.  We  shall  now  introduce  more  pieces 
to  complete  the  mosaic.  To  prove  the  first  lemma  we  need  to  show  that  every  typable  object  of 
type  A  satisfies  the  relation  [A].  Consider  a  typing  derivation  ending  with  the  typing  rule  TpApp. 
We  see  that  the  result  object  of  the  rule  is  an  application  Mi  M2.  Mi  is  a  function,  M2  is  the 
parameter  object  of  suitable  type.  The  next  lemma  shows  that  it  is  legitimate  to  establish  a  similar 
way  of  reasoning  with  logical  relations.  If  Mi  satisfies  the  logical  relation  created  by  a  function 
type  A2  —7-  Ai  and  M2  satisfies  the  logical  relation  created  by  the  domain  of  the  function  type, 
namely  [A2],  then  (Mi  M2)  satisfies  [Ai].  The  proof  of  this  lemma  is  fairly  straightforward  and 
makes  use  of  lemma  7.17  and  lemma  7.2.  This  property  will  be  very  useful  for  the  proof  of  the 
canonical  form  theorem. 

Lemma  7.22  (Logical  relatiou  is  closed  uuder  applicatiou) 

//T  h  Ml  G  [A2  ^  Ai]  and  T  h  M2  G  [A2]  then  T  h  Mi  M2  G  [AJ 


Proof:  See  appendix  C.  □ 

Recall  that  the  proof  of  the  canonical  form  theorem  is  performed  in  two  steps. 


1.  If  T  h  M  G  [H]  then  T  h  M  ff  E  :  H 
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2.  If  •;  T  h  M  :  A  then  T  h  M  G  [A] 

We  already  proved  the  first  step  by  slightly  generalizing  the  lemma.  The  second  lemma  cannot  be 
proven  without  generalization  either.  The  problem  we  encounter  when  we  try  to  prove  it  directly 
is  that  the  context  T  may  grow  during  the  typing  process  (TpLam).  It  is  also  possible  that  the 
modal  context  which  is  empty  in  the  current  formulation  of  the  lemma  does  not  remain  empty 
throughout  the  typing  derivation  (TpLet). 

To  successfully  prove  this  lemma  we  must  generalize  its  formulation  by  using  substitutions. 
Given  a  typing  derivation  A;  F  h  M  :  A  and  a  substitution  for  A;  F,  where  the  objects  introduced  by 
the  substitution  might  depend  on  free  variables  from  a  context  T,  we  can  show  that  the  substituted 
object  [9]  £'](M)  is  indeed  an  object  in  [A].  The  desired  result  is  a  consequence  of  this  generalized 
lemma  using  the  identity  substitution  introduced  by  definition  6.15. 

We  are  still  far  away  from  proving  this  generalized  lemma,  some  key  lemmas  must  still  be 
developed  and  proven.  In  the  remainder  of  this  section,  we  address  the  following  issues:  First  we 
introduce  logical  relations  for  contexts.  Substitutions  are  elements  of  such  a  logical  relation.  Some 
more  technical  results  are  necessary,  which  will  be  discussed  right  after  this  definition.  Second, 
we  need  auxiliary  lemmas  for  the  elimination  and  the  selection  judgment.  These  auxiliary  lemmas 
obviously  depend  on  type  replacements  and  (complete)  case  types.  Some  additional  reasoning  is 
necessary  to  show  that  the  treatment  of  constants  during  the  elimination  process  does  not  destroy 
the  type  preservation  property.  Many  lemmas  which  are  needed  to  establish  this  claim  have  been 
already  discussed  in  section  6.  Finally  we  assemble  all  these  pieces  to  obtain  a  generalized  version 
of  the  second  half  of  the  canonical  element  theorem. 

Let  us  start  with  the  description  of  the  basic  ingredients.  The  first  ingredient  is  the  notion 
of  logical  relation  for  modal  and  arbitrary  contexts.  It  follows  from  the  previous  discussion,  that 
substitutions  are  necessary  to  generalize  the  formulation  of  the  lemma  in  question.  We  are  given  a 
typing  derivation  P  T  h  M  :  A.  Some  subderivation  of  V  might  be  of  the  form  A;  F  h  M'  :  A' . 
Hence  M'  can  contain  free  variables  from  A  and  from  F.  The  logical  relation  which  we  define  now 
contains  all  substitutions  9]  g,  with  the  following  properties: 

1.  If  9{x)  =  M  where  a;  :  A  is  defined  in  the  context  A,  then  M  must  be  a  closed  object  of  type 
A.  For  our  purposes  we  also  must  require  that  M  is  actually  a  closed  object  satisfying  [A]. 

2.  If  q[x)  =  M  where  a;  :  A  is  defined  in  the  context  F,  then  M  must  be  an  object  satisfying 
|A|. 

The  formal  definition  of  logical  relation  for  modal/arbitrary  contexts  follows  directly.  We  define 
three  logical  relations.  The  first  two  correspond  to  these  two  properties,  the  third  is  a  combination 
of  both. 

Definition  7.23  (Logical  relation  for  modal  contexts)  h  0  G  [A] 

Case:  If  A  =  ■  then  9  =  • 

Case:  If  A  =  A',  x  :  A  then  9  =  9' ,  M/x  and  •  h  M  G  [A]  and  h  G  [A'] 

Differently  from  this  definition,  the  second  logical  relation  must  account  for  the  fact  that  objects 
occurring  in  the  substitution  may  depend  on  free  variables  from  a  context  T.  Hence  the  context  T 
must  be  involved  in  the  definition. 
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Definition  7.24  (Logical  relation  for  regnlar  contexts)  T  h  ^  G  |r| 

Case:  IfT  =  -  then  g  =  ■ 

Case:  If  T  =  T' ,  x  :  A  then  g  =  g' ,  V jx  and  T  h  E  G  |  A|  and  T  h  G  |r'| 

As  described  earlier  in  this  paper,  we  prefer  to  see  the  context  A  and  the  context  F  as  a  combined 
context.  In  this  sense,  it  is  useful  to  define  a  combined  logical  relation,  which  contains  both,  the 
logical  relation  for  A  and  the  one  for  F.  Here  is  the  formal  definition. 

Definition  7.25  (Logical  relation  for  combined  contexts) 

'h  E  ^  G  [A;  F]  iff  h  0  G  [A]  and  T  h  ^  G  |r| 

Weakening  must  be  also  proven  for  the  logical  relation  for  modal/regular  context.  We  omit  the 
easy  proof  by  induction: 

Lemma  7.26  (Weakening  on  logical  relation  on  contexts) 

1.  If'^l-ge  |r|  and  T'  >  T  then  T'  h  G  |r| 

12.  //  T  h  6»;  G  [A;  F]  and  T'  >  T  then  T'  h  6»;  G  [A;  F] 


Proof:  omitted.  □ 

The  logical  relation  for  contexts  was  defined  to  make  a  generalization  of  the  second  part  of  the 
canonical  form  theorem  feasible.  Looking  at  the  typing  rules  in  Section  3,  Section  4,  and  Section  5, 
we  observe  that  the  new  A  in  each  premiss  is  always  an  extension  of  the  A  in  the  conclusion. 
But  this  doesn’t  hold  for  the  context  F.  In  the  rule  TpBox  for  example  we  see,  that  the  context 
F  is  discarded.  Let  O]  g  he  a  substitution  satisfying  the  logical  relation  [A;  F]  where  A;  F  is  the 
context  of  some  typing  derivation  ending  with  rule  T pBox.  The  question  which  arises  immediately 
is  whether  6;  g  can  be  restricted  in  some  way  to  be  also  an  element  of  [A;  •]?  As  side  condition  we 
must  require  T  to  be  empty  —  as  will  become  clear  when  we  discuss  the  case  T pBox  in  lemma  7.47. 
The  answer  is  yes:  Choose  the  new  substitution  to  be  6;  ■.  The  proof  again  is  an  easy  induction. 

Lemma  7.27  (Modal  substitution  restriction) 

//’  T  h  ^  G  [A;  F]  then  •  h  •  G  [A;  •] 


Proof:  See  appendix  C.  □ 

We  address  now  the  question  if  every  substitution  6;  g  which  satisfies  a  logical  relation  [A;  F]  is 
well-formed  with  respect  to  Definition  6.11.  The  answer  is  yes,  the  proof  is  easy  if  we  consider  the 
modal  part  6;  ■  and  the  regular  part  •;  g  one  by  one.  We  show  this  property  in  four  parts.  First  we 
show  that  6;  ■  is  well-formed  in  A;  •: 

Lemma  7.28  (Well-typedness  of  modal  substitutions  in  logical  relations) 
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If  h0elA}  then-; -hie;-)  :  (A;-) 

Proof:  See  appendix  C.  □ 

Then  we  show  that  •;  g  is  well-formed  in  •;  F.  It  should  be  clear  that  the  formulation  of  this  lemma 
must  involve  T  because  the  objects  defined  by  g  might  contain  free  variables  from  T. 

Lemma  7.29  (Well-typedness  of  regular  substitutions  in  logical  relations) 

//’  'h  h  ^  G  |r|  then  •;  T  h  (•;  g)  :  (•;  F) 


Proof:  See  appendix  C.  □ 

To  assemble  these  both  results,  we  must  prove  a  combination  lemma:  If  6;  ■  is  well-formed  with 
respect  to  A;  •  and  •;  g  is  well-formed  with  respect  to  •;  F  in  a  context  T,  then  surely  6;  g  should 
be  well-formed  with  respect  to  A;  F  in  context  T.  This  is  formalized  and  proved  by  the  following 
lemma. 

Lemma  7.30  (Combination  of  two  substitutions) 

■  (A;-)  and  h  {■;g)  :  (yF)  then  h  {0;  g)  :  (A;r) 


Proof:  See  appendix  C.  □ 

The  previous  three  lemmas  are  now  being  summarized  to  form  the  final  result.  Every  substitution 
in  a  logical  relation  [A;  F]  is  well-typed  with  respect  to  context  (A;r). 

Lemma  7.31  (Well-typedness  of  substitutions  in  logical  relations:) 

//  T  h  6»;  G  [A;  F]  then  •;  T  h  {0;  g)  :  (A;  F) 


Proof:  See  appendix  C.  □ 

A  rather  technical  but  intuitively  clear  lemma  is  the  following:  If  a  substitution  satisfying  the 
logical  relation  |A;  r|  is  given  and  x  :  A  is  defined  in  the  modal  context  A,  then  the  lookup  of  x  in 
0  will  return  an  object  M  which  fortunately  happens  to  satisfy  [A]. 

Lemma  7.32  (Properties  of  logical  relation  for  modal  contexts) 

If  A  =  (Ai,  X  •.  A)  \J  A2  and  h  0  G  [A]  then  0{x)  =  M  and  •  h  M  G  [A] 


Proof:  See  appendix  C. 


□ 


A  similar  result  holds  for  x  :  A  being  defined  in  the  context  F. 
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Lemma  7.33  (Properties  of  logical  relation  for  regular  contexts) 

IfT  =  (Fi,  a;  :  A)  U  r2  and  T  h  ^  G  |r|  then  g(x)  =  M  and  T  h  M  G  |A| 

Proof:  See  appendix  C.  □ 

In  the  following  discussion  we  would  like  to  consider  the  substitution  ^  as  a  unit  to  simplify  the 
presentation  of  the  proofs.  Hence  we  rephrase  the  previous  two  statements  by  the  following  lemma. 

Lemma  7.34  (Properties  of  logical  relation  for  contexts) 

1.  If  A  =  (Ai,  X  :  A)  U  A2  and  T  h  ^  G  [A;  F]  then  9{x)  =  M  and  •  h  M  G  [A] 

2.  IfT={Ti,x\A)[jT2  and  T  h  ^  G  [A;  F]  then  q{x)  =  M  and  T  h  M  G  |A| 


Proof:  See  appendix  C.  □ 

For  the  same  purpose  we  state  the  trivial  fact  of  how  to  extend  the  regular  part  of  such  a  substitution 
pair  by  some  value  E,  element  of  the  logical  relation  |A|. 

Lemma  7.35  (Extending  logical  relations  for  contexts)  ^  T  h  ^  G  [A;  F]  and  T  h  E  G 

|A|  then  T  h  E/a;  G  [A;  F,  a;  :  A] 

Proof:  See  appendix  C.  □ 

After  this  excursion  into  the  basics  of  well-typed  substitutions  and  their  membership  to  logical 
relations,  we  focus  now  again  on  the  proof  of  the  canonical  form  theorem.  With  logical  relations 
for  contexts  we  are  can  generalize  the  lemma  leading  eventually  to  the  canonical  form  theorem: 

If  A;  F  h  M  :  A  and  T  h  6»;  G  [A;  F]  then  T  h  [6»;  g]{M)  G  [A] 

To  obtain  the  result  we  are  interested  in  we  must  use  the  identity  substitution  of  context  T  which 
supposedly  is  an  instance  of  [•;  T]  and  apply  lemma  7.34.  It  is  necessary  to  prove  that  T  h  •;  idij  G 

Because  of  the  definition  of  logical  relation  for  context  [•;  T]  two  lemmas  are  necessary  to  prove 
this  lemma.  First  we  show  as  an  auxiliary  result  that  for  every  T,  T  h  idij  G  I'Ll.  This  is  not 
trivial,  because  the  proof  relies  on  lemma  7.17. 

Lemma  7.36  (Identity  substitution  for  regular  context) 

For  all  T  the  following  holds:  T  h  idij  G  |'h| 


□ 


Proof:  See  appendix  C. 

As  a  second  step  we  bring  this  lemma  into  the  desired  form:  T  h  •;  idij  G  [•;  4’]. 
Lemma  7.37  (Identity  substitution  for  context) 
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For  all  T  the  following  holds:  T  h  •;  idij  G  [•;  'L] 


Proof:  See  appendix  C.  □ 

Slowly  we  are  approaching  the  canonical  form  theorem.  Recall  that  we  are  still  trying  to  show 
that  yT  h  M  :  A  implies  that  T  h  M  G  [A].  The  logical  relation  for  contexts,  properties  of  the 
identity  function  have  been  the  first  steps  towards  this  lemma.  Two  more  challenging  problems 
must  be  tackled  before  we  can  prove  it:  the  role  of  elimination  and  selection.  This  stems  from 
the  conclusion  of  the  lemma:  An  iterator  or  a  case  object  can  only  then  be  in  the  logical  relation 
[A]  if  they  evaluate  to  a  value.  For  the  iterator  this  implies  that  the  process  of  elimination  must 
be  “well-behaved”,  for  case  it  means  that  the  process  of  selection  must  generate  an  object  which 
evaluates  to  a  value. 

The  elimination  process  is  evoked  by  the  evaluation  of  an  iterator  by  the  rule  Evlt.  Recall  that 
elimination  traverses  the  structure  of  the  canonical  form  of  the  subject  of  iteration,  by  looking  up 
each  of  the  (pseudo)  constructors  in  the  term  replacement  17.  Under  the  assumption  that  17  is  an 
element  of  the  logical  relation  of  the  term  replacement  (T  +  T  h  17  G  [(a;)(S';  T)])  we  can  now 
state  the  missing  link  to  the  canonical  form  theorem  for  the  iterator.  T  represents  the  set  of  pseudo 
constructors  possibly  occurring  in  the  canonical  object,  T  contains  their  images  under  the  term 
replacement  17,  and  T  is  the  context  in  which  the  iterator  object  is  well-typed. 

IfT  +  Thf7  G  [(cj)(S';T)]  and  S' =  N*(S;X(S;  H)) 

I.  If  T  h  U  fr  H'  then  T  U  T  h  (cj;  f7)(U)  G  [(c^)(5')l 

From  our  experience  with  other  proofs  in  this  paper  it  can  be  easily  seen  that  we  must  generalize 
this  property  before  we  can  prove  it.  Canonical  forms  depend  mutually  on  atomic  forms,  hence  as 
first  approximation  we  generalize  the  statement: 

IfT  +  Thf7  G  [(cj)(S';T)]  and  S' =  N*(S;X(S;  H)) 

1.  If  T  h  U  ;  H'  then  T  U  T  h  (cj;  f7)(U)  G  [(c^)(5')l 

2.  If  T  h  U  fr  H'  then  T  U  T  h  (cj;  f7)(U)  G  [(c^)(5')l 

But  even  this  generalization  does  not  go  far  enough.  The  attentive  reader  might  already  suspect 
that  the  generalized  formulation  of  the  property  is  not  adequate  to  provide  a  strong  enough  induc¬ 
tion  hypothesis  to  actually  prove  the  lemma.  The  problem  lies  in  the  rule  CanLam  which  introduces 
new  pseudo  constructors  into  the  set  T.  To  solve  this  problem  we  introduce  a  substitution  •;  idij 
which  satisfies  the  logical  relation  [qTUT].  Please  note,  that  is  substitution  acts  as  the  identity 
substitution  on  all  variables  from  T.  This  is  a  crucial  property  in  the  argument  because  it  allows  us 
to  use  the  strengthening  lemma  which  states  that  if  a  substitution  acts  as  the  identity  function  on 
all  free  variables  of  a  term  M,  then  its  application  to  M  yields  M.  We  call  it  strengthening  lemma 
because  the  domain  of  the  substitution  might  contain  further  variables  which  are  not  mapped  to 
themselves. 

Lemma  7.38  (Strengthening  lemma) 

Let  A;  F  U  F*  U  f  h  (id^;idr  U  £<U  idp)  :  (A;  F  U  f  U  f) 
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1.  If  A-,r  U  r  \-  M  :  A  then  M  =  [id^;  idr  U  ^  U  idp](M) 

2.  //"  A;  r  U  f  h  E  :  (H  A)  (S')  then  S  =  [id^ ;  idr  U  ^  U  idp]  (S) 

3.  //"  A;  r  U  f  h  0  :  (cj)(S')  then  Q  =  [id^;  idp  U  ^  U  idp](0) 

Proof:  See  appendix  C.  □ 

The  trick  to  use  the  identity  function  in  the  formulation  of  the  lemma  leaves  us  to  prove  the 
following  lemma  for  the  iterator: 

If  T  UT  h  -  id,];  U  G  T],  T  +  T  h  0  G  [(cj)(S';T)]  and  S'  =  N*(S;X(S;H)) 

1.  IfThC^H'  thenTUTh[-;idvpU^]((a;;0)(E))  G 

2.  IfThE^H'  thenTUTh[-;idvpU^]((a;;0)(E))  G  [(c^)(5')l 

This  formulation  of  the  lemma  is  very  close  to  the  version  we  will  finally  prove.  But  we  cannot 
prove  it  directly.  The  reason  for  this  has  already  been  mentioned  in  Section  6.  Not  every  constructor 
c  :  C  which  is  encountered  during  the  traversal  is  an  element  of  S':  constructors  whose  target  type 
t{C)  is  not  in  I(S;  B)  are  replaced  by  themselves  according  to  the  definition  of  ElConst.  Being  not 
an  element  in  I(S;  B)  can  have  two  possible  reasons: 

1.  t{C)  Mb  r{B) 

2.  t{B)  M-,b  r{C) 

In  the  first  case  we  are  done,  as  a  consequence  of  lemma  6.35  and  lemma  6.36  from  section  6. 
All  what  remains  to  show  is  that  the  second  case  cannot  occur.  We  prove  this  property  as  by 
generalizing  the  auxiliary  lemma  for  iterator  further.  The  idea  is  to  show  that  if  during  the 
elimination  process  a  canonical  form  V  of  type  B'  is  encountered  then  t(H')  Mb  t{B)  holds. 

To  accomplish  this  we  define  three  conditions  which  are  formulated  as  preconditions  and  post¬ 
conditions  for  the  elimination  process  —  which  we  will  add  into  the  formulation  of  the  auxiliary 
lemma  for  iterator.  We  distinguish  between  two  preconditions:  One  for  the  case  that  the  en¬ 
countered  object  is  canonical  and  for  the  case  that  the  object  is  atomic.  If  an  atomic  form  is  an 
application,  then  ElApp  must  be  applied.  To  show  that  the  precondition  for  the  second  branch 
holds,  we  must  define  a  postcondition,  which  is  valid  after  the  iteration  of  the  first  premiss  termi¬ 
nates.  The  first  premiss  of  AtApp  is  always  atomic  hence  it  is  enough  to  establish  the  post  condition 
only  for  the  atomic  case. 

Definition  7.39  (Atomic  precondition  for  elimination)  Let  B  an  arbitrary  pure  type: 

Pre^B  ('h,  B')  t{B')  <b  t{B)  and  T  ◄b  t{B) 

The  first  part  of  this  definition  guarantees  the  weak  subordination  of  t{B')  and  t{B).  We 
cannot  assume  strong  subordination,  because  elimination  can  be  applied  to  non-inductive  types. 
The  second  part  of  this  precondition  is  necessary  because  the  precondition  must  imply  the  postcon¬ 
dition,  which  finally  might  be  used  to  imply  the  precondition  for  canonical  form  elimination.  The 
precondition  for  canonical  forms  is  stronger  then  the  one  for  atomic  forms.  It  states  in  addition 
that  for  every  pseudo  constructor,  all  source  types  are  subordinated  by  t{B),  as  long  as  the  pseudo 
constructor  can  be  used  in  the  definition  of  the  object. 
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Definition  7.40  (Canonical  precondition  for  elimination)  Let  B  arbitrary  pure  type: 

PreiiB  B') 

PreiB  {'^,B')  andforall  B"  G  PCT{B')  : 

if  t[B")  <b  t{B)  then  forall  y  G  Source{B")  :  y  <b  t{B) 

The  postcondition  for  atomic  form  elimination  provides  that  every  source  type  of  a  type  of  the 
atomic  object  to  be  eliminated  is  actually  subordinated  by  the  goal  type  of  H  —  which  might  be 
very  different  from  B' . 

Definition  7.41  (Atomic  postcondition  for  elimination)  Let  B  arbitrary  pure  type: 

Post^B  {B')  forall  y  G  Source[B')  :  y  <b  '^{B) 

The  proof  of  the  auxiliary  lemma  for  iterator  will  be  by  induction  over  the  atomic  or  canonical 
structure  of  the  elimination  subject.  The  following  lemma  shows  that  preconditions  and  postcon¬ 
ditions  imply  each  other  in  a  suitable  way  as  necessary  to  perform  the  inductive  argument.  For 
this  purpose  recall  the  definition  of  atomic  and  canonical  forms  from  Definition  2.6.  If  we  have  a 
derivation  ending  in  an  application  of  AtVar  and  the  atomic  precondition  holds  then  we  must  show 
that  the  postcondition  holds.  The  same  holds  for  a  derivation  ending  with  AtConst.  In  the  case  of 
application  (AtApp)  we  encounter  the  following  situation.  Let  H  be  a  derivation  ending  in 

Vi  V2 

T  h  El  ;  Hi  ^  H2  T  h  E2  ^ 

- AtApp 

T  h  El  E2 ;  ^2 

By  assumption  we  know  that  Pre  (T,  B2)  holds.  The  application  of  the  induction  hypothesis  to 
Vi  requires  that  Prej,^  ('L,  Hi  — ?■  H2)  holds  (to  be  proven).  Finally  for  this  case,  the  application 
of  the  induction  hypothesis  to  V2  requires  that  Prefix  (T,  Hi)  holds.  For  this  proof  we  fortunately 
can  assume  Postj,^  (Hi  — ?■  H2). 

A  complete  list  of  all  necessary  implications  is  summarized  by  the  following  lemma.  The  first 
statement  is  needed  for  AtVar,  the  second  for  AtConst.  The  third  and  the  forth  are  necessary 
for  AtApp.  CanAt  doesn’t  require  any  special  considerations,  since  the  canonical  precondition  is 
stronger  then  the  atomic  one.  The  fifth  statement  makes  the  case  CanLam  go  through.  And  finally 
the  last  fact  provides  the  necessary  information  to  ensure  that  the  initial  precondition  holds  (see 
Lemma  7.47). 

Lemma  7.42  (Preservation  of  Preconditions  and  Postconditions) 

1.  Pre^B  ('h,  H')  and  T(a;)  =  B'  then  Post^B  {B') 

2.  Pre^B  ('h,  H')  and  S(c)  =  B'  then  Post^B  {B') 

3.  PrefB  ('I’,H2)  implies  Pre^B  ('h.  Hi  ^  H2) 

4.  Pre^B  ('h,  H2)  and  Post^B  {Bi  — ?■  H2)  implies  Pre-flB  ('h.  Hi)  and  Post^B  {B2) 
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5.  Prefix  (T,  Pi  — >  P2)  implies  Prefix  (T,  x  :  Bi,  P2) 
I).  Por  all  pure  types  B:  Prefix  (•,  P) 


Proof:  See  appendix  C.  □ 

Now  all  ingredients  for  the  formulation  of  the  auxiliary  lemma  for  iterator  are  prepared.  By 
inserting  preconditions  and  postconditions  for  atomic  and  canonical  forms  into  the  formulation  we 
obtain  the  auxiliary  lemma  for  iterator  which,  as  expected,  is  proven  by  mutual  induction  over 
atomic  and  canonical  forms.  The  proof  relies  on  the  results  from  lemma  7.42. 

Lemma  7.43  (Auxiliary  lemma  for  iterator) 

//TUTh  yidvpU^G  T  +  G  [(cj)(S';T)]  and  S' =  N*(S;P(S;  P)) 

1.  If  V  I  B'  and  Pre  fs  then  T  U  T  h  [•;  idij  U  ^]((a:;  n)(E))  G  [(^^)(P0] 

Post^B  {B') 

2.  //ThE^P'  and  PreilB  (^,  P')  tden  T  U  T  h  [•;  idvp  U  ^]((a;;  f2)(E))  G  [(c^)(P')] 


Proof:  See  appendix  C.  □ 

Similarly  to  the  development  of  the  auxiliary  lemma  for  iterator  we  can  prove  an  auxiliary 
lemma  for  case,  which  shows  that  the  selection  process  “behaves”  well.  The  selection  process 
seems  to  be  much  easier  then  the  elimination  process,  because  only  the  head  constructor  selects  an 
object,  its  arguments  must  be  closed  and  boxed.  Thus,  before  discussing  the  auxiliary  lemma  for 
case  we  present  a  result  which  shows  how  to  close  and  box  arguments. 

For  this  purpose  we  must  show  that  a  canonical  object  of  type  P  is  an  element  of  the  logical 
relation  [P].  For  the  same  reasons  as  above,  we  must  prove  this  result  also  for  atomic  objects. 
The  possible  introduction  of  pseudo  constructors  by  CanLam  makes  it  necessary  that  we  introduce 
a  substitution  •;  g,  replacing  all  pseudo  constructors  in  T  by  some  object.  The  substitution  is 
assumed  to  satisfy  [•;'!’].  We  need  this  result  for  the  proof  of  Lemma  7.45 

Lemma  7.44  (Every  canonical  element  is  member  of  the  logical  relation) 

1.  //T  h  E  ;  P  and  T'  h  •;  £.  G  [•;  then  T'  h  [y^KE)  G  [P] 

A  //T  h  E  fr  P  and  T'  h  •;  £.  G  [•;  then  T'  h  [•;  g]{V)  G  [P] 


Proof:  See  appendix  C.  □ 

We  now  present  the  final  preparatory  lemma  for  the  auxiliary  lemma  for  case.  Consider  rule 
SeApp  from  definition  5.15.  The  selection  judgment  applied  to  an  application  of  the  form  Ei  E2 
selects  some  object  for  Mi  first  and  constructs  a  boxed  abstraction  closure  over  object  E2.  The 
result  of  the  selection  process  is  then  the  application  of  Mi  to  this  newly  constructed  object.  Note 
that  E2  can  contain  any  pseudo  constructor  introduced  by  preceding  A-abstractions.  We  show  now 
that  we  can  close  E2  under  all  these  variables  by  using  abstraction  closures. 
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Lemma  7.45  (Properties  of  transformation  types) 

//T  h  E  fr  H  then  ■  h  A{T}.E  G  [n{T}.H] 


Proof:  See  appendix  C.  □ 

We  can  now  use  the  previous  four  lemmas  to  prove  the  auxiliary  lemma  for  case.  Recall  that  the 
overall  goal  is  a  result  which  is  very  similar  to  the  iterator.  From  the  assumption  that  the  match 
E  satisfies  T  +  T  h  E  G  [(H  A)(S';T)]  we  need  to  prove  that  the  selection  process  generates 

an  object  which  satisfies  the  logical  relation  \C*  (H,A,H)].  Recall  from  the  formulation  of  the 
auxiliary  lemma  of  the  iterator  that  T  represents  the  set  of  pseudo  constructors  possibly  occurring 
in  the  canonical  object,  T  contains  their  images  under  the  match  E,  and  T  is  the  context  in  which 
the  case  object  is  well-typed. 

If  T  -h  T  h  “  G  [(H  ^  A) (S';  T)]  and  S'  =  N(S;  t{B))  then 

I.  If  T  h  E  fr  H'  then  T  U  T  h  {H  ^  A;  S;  T}(E)  G  [C*  (H,  A,  B')} 

Unfortunately,  this  formulation  of  the  lemma  cannot  be  proven  without  further  generalization. 
The  first  generalization  step  has  to  do  with  the  mutual  dependency  of  atomic  and  canonical  forms. 
We  have  to  be  more  careful  then  in  the  iterator  case  because  atomic  objects  are  only  of  “case  type” 
but  not  of  “complete  case  type”. 

If  T  +  T  h  S  G  [(H  ^  A) (S';  T)]  and  S'  =  N(S;  t{B))  then 

1.  If  T  h  E  ;  H'  then  T  U  T  h  {H  ^  A;  S;  T}(E)  G  {C  (H,  A,  B')} 

2.  If  T  h  E  fr  H'  then  T  U  T  h  {H  ^  A;  S;  T}(E)  G  [C*  {B,  A,  B')} 

Following  the  example  of  the  iterator,  we  encounter  exactly  the  same  problem  here.  The  rule 
CanLam  extends  the  set  of  pseudo  constructors  which  would  prevent  the  induction  hypothesis  to 
apply  in  this  case.  To  generalize  this  lemma  more,  we  use  the  same  trick  with  the  substitution 
•;  idij  U  ^  as  in  the  iterator  case. 

If  T  U  T  h  •;  idvp  U  ^  G  [•;  4^  U  T],  T  +  T  h  S  G  [(H  ^  A)(S';  T)]  and  S'  =  N(S;  r(H)) 

1.  If  T  h  E  then  TUT  h  [yidvp  U  q]{{B  =>  A;S;T}(E))  G  [C  (H,  A,  H')] 

2.  If  T  h  E  then  TUT  h  [yidvp  U  g]{{B  =>  A;S;T}(E))  G  {C*  (H,  A,H')] 

This  formulation  is  very  close  to  the  lemma  as  we  prove  it.  But  still  the  proof  doesn’t  go 
through.  The  problem  is  the  context  T'  of  pseudo  constructors.  We  must  be  able  to  recover 
the  information  that  n{T}.r(H)  =  B.  To  make  this  more  formal,  we  can  assume  this  property 
to  hold  for  the  atomic  case:  T  essentially  represents  B.  For  the  canonical  case,  we  can  assume 
that  T  represents  the  initial  set  of  domain  types  of  type  B.  The  remaining  domain  types  are 
still  represented  by  the  type  B':  n{T}.H'  =  B.  Another  piece  of  information  is  needed  for  the 
successful  proof:  t{B)  =  t(H'). 
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Lemma  7.46  (Auxiliary  lemma  for  case) 

//TUTh  -idvpU^G  T  +  Th  “  G  [(H  ^  A)(S';  T)]  and  S' =  N(S;  r(H)) 

i.  //  T  h  V  i  B'  and  n{T}.r(H)  =  B  and  r(H')  =  t{B)  then  TUT  h 
[•;  idvf  U  q]{{B  =>  A;  S;  T}(E))  G  [C  {B,  A,  H')] 

A  //  T  h  E  fr  H'  and  n{T}.H'  =  B  then  TUT  h  [•;  id,];  U  £.]({H  ^  A;  S;  T}(E))  G 
[C*  (H,A,H')] 

Proof:  See  appendix  C.  □ 

This  concludes  the  presentation  of  the  preparatory  work.  All  the  ingredients  are  prepared,  we 
just  have  to  put  them  together  to  obtain  the  generalized  first  lemma  completing  the  canonical  form 
theorem.  Recall  that  the  proof  of  the  canonical  form  theorem  is  performed  in  two  steps  —  as  we 
discussed  earlier: 

1.  If  T  h  M  G  [H]  then  T  h  M  fr  E  :  H 

2.  If  •;  T  h  M  :  A  then  T  h  M  G  [A] 

The  first  property  was  already  proven  in  lemma  7.17.  We  discussed  that  a  generalization  of  the 
second  step  is  necessary.  This  generalization  led  to  the  introduction  of  logical  relations  for  contexts 
with  substitutions  as  their  elements.  We  now  prove  this  generalized  version,  the  centerpiece  of  this 
work.  All  results  obtained  so  far  are  needed  for  the  proof  of  this  lemma.  The  proof  is  done  by 
induction  over  the  typing  derivation. 

Lemma  7.47  (Typing  and  logical  relations) 

Let  T  h  d;  ^  G  [A;  F] 

1.  //A;r  h  M  :  A  then  T  h  [0- q\{M)  G  [A] 

A  //  A;  F  h  E  :  (H  ^  A)  (S')  then  T  +  •  h  [d;  (S)  G  {{B  ^  A)  (S';  •)] 

3.  //  A;  F  h  12  :  (cj)  (S')  then  T  +  •  h  [d;  (12)  G  {{oj)  (S';  •)] 

Proof:  See  appendix  C.  □ 

As  the  main  result  of  this  section  both  lemmas,  namely  lemma  7.17  and  lemma  7.47  can  be 
summarized  to  the  canonical  form  theorem.  This  theorem  says,  that  every  object  M  of  pure  type 
evaluates  to  a  canonical  form.  In  other  words,  no  matter  how  complex  the  form  of  the  object  M 
is,  it  may  contain  A-abstractions,  applications,  boxes,  and  lets,  it  will  evaluate  to  a  canonical  form, 
only  containing  A-abstractions  and  applications.  Section  9  emphasizes  this  point  again  and  shows 
the  usefulness  of  this  result. 

Theorem  7.48  (Canonical  form  theorem) 

//  •;  T  h  M  :  H  then  T  h  M  fr  E  :  H 

Proof:  See  appendix  C. 

□ 
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8  Type  preservation  theorem 

The  canonical  form  lemma  and  the  corresponding  theorem  are  two  very  powerful  theorems.  The 
type  preservation  property  of  the  operational  semantics  of  our  system  follows  as  a  corollary  if  we 
have  one  more  lemma,  namely,  that  the  value  of  an  object  is  unique.  This  claim  is  intuitively 
immediate  because  the  form  of  the  object  triggers  the  evaluation  rule  —  which  is  uniquely  defined. 
The  operational  semantics  and  evaluation  to  canonical  forms  are  mutual  dependent,  hence  the 
uniqueness  lemma  reads  as  follows. 

Lemma  8.1  (Uniqueness  of  evaluation) 

1.  //T  h  M  fr  U  :  A  and  T  h  M  fr  U'  :  A  then  V  =  V' 

2.  If^hM^V-.Aand^hM^V'-.A  then  V  =  V' 


Proof:  See  appendix  D.  □ 

An  easy  corollary  from  Lemma  7.47  is  now  the  type  preservation  theorem  guarenteeing  that  types 
are  preserved  under  our  operational  semantics. 

Theorem  8.2  (Type  preservation) 

//  •;  T  h  M  :  A  and  T  h  M  U  :  A  then  •;  T  h  U  :  A 


Proof:  See  appendix  D.  □ 

In  the  next  section  we  present  another  corollary  from  Lemma  7.47:  Our  calculus  for  the  modal 
A-calculus  is  a  conservative  extension  of  the  simply  typed  A-calculus. 
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9  Conservative  extension  theorem 

We  arrived  at  the  final  result  of  this  paper:  Our  calculus  is  a  conservative  extension  of  the  simply- 
typed  A-calculus.  By  definition  it  is  clear  the  the  language  of  objects  and  types  of  the  modal 
A-calculus  extends  the  formulation  of  the  simply  typed  A-calculus.  It  follows  quite  naturally  that 
every  typing  derivation  in  the  simply-typed  calculus  can  be  represented  in  our  system:  Using  the 
empty  modal  context,  StpVar  must  be  replaced  by  TpVarReg,  StpConst  by  TpConst,  StpLam  by 
TpLam,  and  finally  StpApp  by  TpApp. 

Lemma  9.1  (Typing  extension) 

//T  h  M  :  H  then  •;  T  h  M  :  H 


Proof:  See  appendix  E.  □ 

Let  M  be  an  object  of  pure  type  B  with  free  variables  from  a  pure  context  T.  M  itself  need  not  be 
pure  but  rather  some  term  in  the  modal  A-calculus  including  boxes,  lets,  iterators,  and  definition 
by  cases.  We  have  seen  that  M  has  a  canonical  form  U,  and  Lemma  7.2  (1)  shows  that  V  must  be 
a  term  in  the  simply  typed  A-calculus. 

Theorem  9.2  (Conservative  Extension) 

//  •;  T  h  M  :  H  then  ThMfrU:H  and  ^  h  V  it  B 


Proof:  See  appendix  E.  □ 

This  concludes  the  discussion  of  the  meta-theoretic  properties  of  the  modal  A-calculus  which 
we  presented  in  this  paper. 
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10  Conclusion  and  Future  Work 

We  have  presented  a  calculus  for  primitive  recursive  functionals  over  higher-order  abstract  syn¬ 
tax  which  guarantees  that  the  adequacy  of  encodings  remains  intact.  The  requisite  conservative 
extension  theorem  is  technically  deep  and  requires  a  careful  system  design  and  analysis  of  the 
properties  of  a  modal  operator  □  and  its  interaction  with  function  definition  by  iteration  and 
cases.  To  our  knowledge,  this  is  the  first  system  in  which  it  is  possible  to  safely  program  function¬ 
ally  with  higher-order  abstract  syntax  representations.  It  thus  complements  and  refines  the  logic 
programming  approach  to  programming  with  such  representations  [Mil92,  Pfe91]. 

Our  work  was  inspired  by  Miller’s  system  [Mil90],  which  was  presented  in  the  context  of  ML. 
Due  to  the  presence  of  unrestricted  recursion  and  the  absence  of  a  modal  operator,  Miller’s  system 
is  computationally  adequate,  but  has  a  much  weaker  meta-theory  which  would  not  be  sufficient  for 
direct  use  in  a  logical  framework.  The  system  of  Meijer  and  Hutton  [MH95]  and  its  refinement  by 
Fegaras  and  Sheard  [FS96]  are  also  related  in  that  they  extend  primitive  recursion  to  encompass 
functional  objects.  However,  they  treat  functional  objects  extensionally,  while  our  primitives  are 
designed  so  we  can  analyze  the  internal  structure  of  A-abstractions  directly.  Fegaras  and  Sheard 
also  note  the  problem  with  adequacy  and  design  more  stringent  type-checking  rules  in  Section  3.4 
of  [FS96]  to  circumvent  this  problem.  In  contrast  to  our  system,  their  proposal  does  not  appear 
to  have  a  logical  interpretation.  Furthermore,  they  neither  claim  nor  prove  type  preservation  or 
an  appropriate  analogue  of  conservative  extension — critical  properties  which  are  not  obvious  in  the 
presence  of  their  internal  type  tags  and  Place  constructor. 

Our  system  is  satisfactory  from  the  theoretical  point  of  view  and  could  be  the  basis  for  a  practical 
implementation.  Such  an  implementation  would  allow  the  definition  of  functions  of  arbitrary  types, 
while  data  constructors  are  constrained  to  have  pure  type.  Many  natural  functions  over  higher-order 
representations  turn  out  to  be  directly  definable  (e.g.,  one-step  parallel  reduction  or  conversion 
to  de  Bruijn  indices),  others  require  explicit  counters  to  guarantee  termination  (e.g.,  multi-step 
reduction  or  full  evaluation).  On  the  other  hand,  it  appears  that  some  natural  algorithms  (e.g.,  a 
structural  equality  check  which  traverses  two  expressions  simultaneously)  are  not  implementable, 
even  though  the  underlying  function  is  certainly  definable  (e.g.,  via  a  translation  to  de  Bruijn 
indices).  For  larger  applications,  writing  programs  by  iteration  becomes  tedious  and  error-prone 
and  a  pattern-matching  calculus  such  as  employed  in  ALF  [CNSvS94]  or  proposed  by  Jouannaud 
and  Okada  [J09I]  seems  more  practical.  Our  informal  notation  in  the  examples  provides  some 
hints  what  concrete  syntax  one  might  envision  for  an  implementation  along  these  lines. 

The  present  paper  is  a  first  step  towards  a  system  with  dependent  types  in  which  proofs  of 
meta-logical  properties  of  higher-order  encodings  can  be  expressed  directly  by  dependently  typed, 
total  functions.  The  meta-theory  of  such  a  system  appears  to  be  highly  complex,  since  the  modal 
operators  necessitate  a  let  box  construct  which,  prima  facie,  requires  commutative  conversions. 
Martin  Hofmann^  has  proposed  a  semantical  explanation  for  our  iteration  operator  which  has  led 
him  to  discover  an  equational  formulation  of  the  laws  for  iteration.  This  may  be  the  critical  insight 
required  for  a  dependently  typed  version  of  our  calculus.  We  also  plan  to  reexamine  applications 
in  the  realm  of  functional  programming  [Mil90,  FS96]  and  related  work  on  reasoning  about  higher- 
order  abstract  syntax  with  explicit  induction  [DH94,  DFH95]  or  definitional  reflection  [MM96]. 
Acknowledgments.  The  work  reported  here  took  a  long  time  to  come  to  fruition,  largely  due 
to  the  complex  nature  of  the  technical  development.  During  this  time  we  have  discussed  various 
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A  Definition  modal  A-calculus 


Types:  A 

Pure  types:  B 

Objects:  M 


Term  replacement:  Q 
Match:  E 


Cl  I  Ai  — ^  A2  I  I— lA  I  Ai  X  A2 
Cl  I  B\  — y  B2 

c  I  a;  I  Aa; :  A.  M  I  Mi  M2 

I  box  M  I  let  box  x  =  Mi  in  M2  |  (Mi,  M2)  |  fst  M  |  snd  M 
I  it  (oa)  M  (D)  I  case  (A)  M  (E) 

•  I  (D  I  c  I— 7-  M)  I  (D  I  a;  I— 7-  a;') 

•  I  (E  I  c  M)  I  (E  I  a;  a;') 


Contexts:  P 

Pure  Context:  T 

Signature:  S 


P,  a;  :  A 
T,  a;  : 

S,  a  :  type  |  S,  c  : 


Definition  2.6  (Atomic  and  canonical  forms) 

1.  T  h  E  j,  (V  is  atomic  of  type  B  m 

2.  T  h  E  fl  (V  is  canonical  of  type  B  m 

are  defined  by: 

T(a;)  =  B  S(c)  =  B  x^i  ^  Vi  f  B2  ^  Bi  T  h  E2  fr  ^2 

AtVar  - AtConst  - _ - AtApp 


TI-a;^_B  ^  \-  c  f  B 

T  h  E 


T  h  E  fr  a 


CanAt 


T  h  El  E2 ;  5i 

T,  a;  :  _Bi  h  E  fl  -62 

CanLam 


T  h  Aa;:5i.Efr  5i  ^  B2 


Definition  3.1  (Typing  jndgment) 

1.  A;  P  h  M  :  A  (M  has  type  A  in  context  A;  P^ 

A;  P  h  D  :  (aa)(S)  (D  is  a  well-typed  term  replacement  with  respect  to  context  A;  P,  type 
replacement  uj,  and  signature  T, ) 

3.  A;  P  h  E  :  (_B  ^)(^)  ®  well-typed  match  with  respect  to  context  A;  P,  subject  type  B, 

goal  type  A,  and  signature  T, ) 


r(a;)  =  A 

- T  pVarReg 

A;r  h  a;  :  A 


A(a;)  =  A  S(c)  =  B 

- TpVarMod  - TpConst 

A;rha;:A  A;rhc:5 


A;  P,  a;  :  Ai  h  M  :  A2 

- TpLam 


A;  P  h  Ml  :  A2  ^  Ai  A;  P  h  M2  :  A2 

^ ^ - TpApp 


A;  P  h  Aa; :  Ai.  M  :  Ai  — ?■  A2 


A;  P  h  Ml  M2  :  Ai 
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A:  r  h  Ml  :  Ai  A:  L  h  M2  :  A2 

^ ^ - TpPair 

A;rh  (Mi,M2)  :  Ai  X  A2 

A;rhM:AixA2  A;rhM:AixA2 

^ - TpFst  ^ - TpSnd 

A;rh/s^M:Ai  'r  snd  M  ■.  A2 

A;-hM:A  A;rhMi:nAi  A,  a;  :  Ai;  L  h  M2  :  A2 

- T  pBox  - T  pLet 

A;  r  h  box  M  :  OA  A;  L  h  let  box  x  =  Mi  in  M2  :  A2 

A-,rhM:OB  \-oj:a  A;rhD:M)(S') 

- T  pit 

A;r  h  it  (uj)  M  (D)  :  {uj){B) 


where  a  =  I(S;  B)  and  S'  =  N*(S;  a) 

A-,rhM:OB  A;r  h  S  :  (5  ^  A)(S') 

- T  pCase 

A;  r  h  case  (A)  M  (S)  :  C*  {B,  A,  B) 


where  S'  =  N(S;  t{B)) 

A;r  h  D  :  (x;)(S)  A;  L  h  M  :  (x;)(5') 

- TrBase  - Trind 

A;  r  h  •  :  (x;)(-)  A;  L  h  (D  |  c  M)  :  (x;)(S,  c  :  B') 

A;r  h  S  :  (5  ^  A)(S)  A;  L  h  M  :  C  (5,  A,  5') 

- TmBase  - Tmind 

A;  r  h  •  :  (5  ^  A)(-)  A;  L  h  (S  |  c  ^  M)  :  (5  ^  A)(S,  c  :  B') 


Definition  4.28  (Elimination) 


(x;;D)(c) 

(x;;D)(a;) 

{ij-Q){\x-.B.V) 

{0J-Q){ViV2) 


Definition  5.15  (Selection) 

{_B  A;  S;  T}(c)  =  S(c)  (SeConst) 

{_B  ^  A;  S;  T}(a;)  =  S(a;)  (SeVar) 

{B  ^  A-'E-^i}{\x-.B'.V)  =  \u-.C{B,A,B').{B^  A-'E,x^u-{^i,x-.B')}{V)  (SeLam) 

{5^  A;S;T}(EiE2)  =  {5  ^  A;  S;  T}(Ei)  (5oa;  A{T}.  E2)  (SeApp) 


r  M  */D(c)  =  M 

(  c  otherwise 

(ElConst) 

Q(x) 

(ElVar) 

Am:  {lj){B).  (oa;  D  a;  1— ?■  u)(y) 

(EILam) 

(ElApp) 
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Definition  3.3  (Evalnation  jndgments) 

1.  TEMm-E  :  a  (M  evalulates  to  V  of  type  A  in  context  T ) 

2.  T  h  M  fl  E  :  (M  evalulates  to  a  canonical  form  V  of  pure  type  B  in  context  T ) 


ThM-^E:a  .  ,  x  :  Bi  ^  M  x  i\  V  :  B2 

- EcAtomic  - EcArrow 

ThMfrE:a  ^  M  i\  Xx  :  Bi.V  :  Bi  ^  B2 


T(a;)  =  A  S(c)  =  B 

- EvVar  - EvConst 

^  \-  X  ^  X  A  TI-cm-c:_B 

•;  T,  a;  :  Ai  h  M  :  A2 

- EvLam 

\x  ■.  Ai.  M  ^  \x  ■.  Ai.  M  :  Ai  — 7-  A2 

T  h  Ml  Aa; :  A2.  :  A2  ^  Ai  T  h  M2  E2  :  A2  T  h  [E2/a;](M()  E  :  Ai 

-  EvApp 

T  h  Ml  M2  E  :  Ai 

T  h  Ml  El  :  ^2  ^  5i  T  h  El  ;  ^2  ^  5i  T  h  M2  fr  E2  :  ^2 

- EvAtomic 

T  h  Ml  M2  El  E2  :  Bi 

•;  T  h  Ml  :  Ai  •;  T  h  M2  :  A2 
- EvPair 

T  \~  ^ Afi ,  Af2)  ^ — V  ( Afi ,  Af2)  I  Ai  X  A2 

T  h  M  (Ml,  M2)  :  Ai  X  A2  T  h  Ml  E  :  Ai 

- EvFst 

'r  fstM  ■.  Ai 

T  \~  Ad  ^ — y  (Afi,  Af2)  I  Ai  x  A2  T  \~  Ad2  ^ — y  E  ;  A2 

-  EvSnd 

T  h  snd  M  E  :  A2 

•  h  M  :  A 

-  EvBox 

T  h  box  M  box  M  :  OA 

T  h  Ml  5oa;  M(  :  DA  T  h  [M(/a;](M2)  E  :  A2 

-  EvLet 

T  h  let  box  x  =  Mi  in  M2  E  :  A2 

'Ai  h  Ad  box  Ad' :  OB  ■  h  Ad' i[  V' :  B  T  h  (cj;  D)(E') E  :  (x;)(5) 

- Evit 

T  h  it  (uj)  Ad  {n)^V  :  {oj){B) 

'Ai  h  Ad  box  Ad' :  OB  ■  h  Ad' i[  V' :  B  'A' h  {B  ^  A-,E-,  ■}{¥')  <-^  V  :  C*  {B,  A,  B) 

- EvCase 

T  h  case  (A)  Ad  (E)  ^  V  :  C*  {B,  A,  B) 


B  PRELIMINARY  RESULTS 


63 


B  Preliminary  results 

Lemma  6.2  (Every  context  extends  the  empty  context) 

r  >  • 

Proof:  by  induction  over  L 

Case:  L  =  • 

•  >  • 

Case:  L  =  V ,  x  \  A 

V  >  ■ 

V ,  X  ■.  A  >  ■ 

Lemma  6.4  (Context  form)  If  T"  >  T  U  T  then  L"  =  L  U  L'  and  L' 
Proof:  by  induction  over  P  ::  L"  >  L  U  L: 

Case:  V  = - ^ ^  CeBase: 

LUL  >  LUL 

f "  =  L  U  f 
L  >  L 

Vi 

L"  >  L  U  L 

Case:  V  =  - - rCeInd: 

L",  a;  :  A  >  L  U  L 

f "  =  L  U  f ' 

L '  >  L 

^  V",x-.  A={V\JV'),x-.  A 
L",  X  \  A  =  T  AT'  ,x  \  A 
f',x-.  A>f 

Lemma  6.19  (Modal  snbstitntion  restriction) 

If^'-T'A{9-e)  :  (A;L)  then  ■  A  {9- ■)  :  (A;-) 

Proof:  by  induction  over  V  ::  A';  L'  h  (0;  q)  :  (A;  L) 

Case:  V  = - TSBase 

A';r'h(.;.)  :  (.;.) 

A;L=.;. 

^  A';  •  ^  (•;  •)  :  (•;  •) 


by  application  of  CeBase 

by  ind.  hyp. 
by  application  of  Ceind 

□ 

>  r 

by  definition 
by  application  of  Ceind 

by  ind.  hyp.  on  Vi 
by  ind.  hyp.  on  Vi 
by  definition 
by  application  of  Cuind 
by  application  of  Ceind 
□ 


by  assumption 
by  definition  TSBase 
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Vi  T>2 

A'-,-hM:A  A'-,r' h  {0-,g)  :  (A;L) 

Case:  V  = - TSMod 

A';L'  h  {0,Mjx-,Q)  :  {A,x  :  A;  L) 

A';  •  h  (0;  •)  :  (A;  •)  by  ind.  hyp.  on  V2 

A';  •  h  (0,  M/x;  •)  :  (A,  x  :  A;  ■)  by  application  of  TSMod  with  Vi 

Vi 

A';L'hM:A  A';  L' h  (0;  ^)  :  (A;  L) 

Case:  V  = - TSReg 

A';L'  h  {0-q,MIx)  :  (A;L,a;  :  A) 

A';  •  h  (0;  •)  :  (A;  •)  by  ind.  hyp.  on  Vi 

□ 


Lemma  6.20  (Properties  of  typing  relation  for  snbstitntions) 

1.  If  A  =  (Ai,  X  •.  A)\J  A2  and  A';  L'  h  (0;  g)  :  (A;  L)  then  0{x)  =  M  and  A';  ■  \-  M  :  A 

2.  //"  L  =  (Li,  a;  :  A)  U  L2  and  A';  L'  h  (0;  g)  :  (A;  L)  then  g{x)  =  M  and  A';  L'  h  M  :  A 

Proof:  by  induction  over  V  ::  A';  L'  h  (0;  g)  :  (A;  L) 

Case:  V  = - TSBase 

A';r'h(.;.)  : 

cannot  occur. 

Vi  V2 

A';  •  h  M'  :  A'  A';  L'  h  (0';  g)  :  (A";  L) 

Case:  V  = - TSMod 

A'-,T'^{0',M'/y,g)  :  (A",  y  :  A';  L) 


A  =  A",  y  :  A' 

by  assumption 

0  =  6»',  M'/y 

by  assumption 

1.  Case:  A2  =  • 

D 

II 

< 

by  assumption 

A  =  Ai,  a;  :  A 

by  definition  CuBase 

^  A"  =  Ai 

by  definition 

X  =  y 

by  definition 

A^  =  A 

by  definition 

^  {0' ,M' /x){x)  =  M' 

by  definition  Sbaind 

^  0{x)  =  M' 

by  definition 

=>  A'--hM'  -  A 

by  assumption 

Case:  A2  =  A2,  2:  :  A",  x  z 

A  =  (Ai,  a;  :  A)  U  (A'2,  2  :  A") 

by  assumption 

^  A  =  (Ai,  a;  :  A)  U  A'2,  2  :  A" 

by  definition  Cuind 

^  A"  =  (Ai,  a;  :  A)  U  A'2 

by  definition 

^  y  =  2 

by  definition 
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^  A"  =  A' 

by  definition 

^  e'{x)  =  M 

by  ind.  hyp.  (1)  on  V2 

=>  A';  •  ^  M  :  A 

by  ind.  hyp.  (1)  on  V2 

^  {e',M'/y){x)  =  M 

by  definition  Sbaind 

e{x)  =  M 

by  definition 

2.  g(x)  =  M 

by  ind.  hyp.  (2)  on  V2 

•;T  h  M  :  A 

by  ind.  hyp.  (2)  on  V2 

Vi  V2 

A';  L'  h  M'  :  A'  A';  L'  h  (0;  g')  :  (A;  L') 

Case:  V  = - TSReg 

A';L'h(0;^',M7y)  :  (A;  L",  y  :  A') 

II 

by  assumption 

g  =  g',M'/y 

by  assumption 

1.  e{x)  =  M 

by  ind.  hyp.  (1)  on  V2 

A';  •  ^  M  :  A 

by  ind.  hyp.  (1)  on  V2 

2.  Case:  L2  =  • 

II 

c 

by  assumption 

7 

II 

1^ 

by  definition  CuBase 

^  L"  =  Li 

by  definition 

X  =  y 

by  definition 

A^  =  A 

by  definition 

^  {g',M'/x){x)  =  M' 

by  definition  Sbaind 

y(a;)  =  M' 

by  definition 

=>  A';  L'  h  M'  :  A 

by  definition  Vi 

Case:  L2  =  L^  :  A",  x  ^  z 

L  =  (Li,a;  :  A)  U  (L^^  :  A") 

by  assumption 

L  =  (Li,a;  :  A)  U  L^^  :  A" 

by  definition  Cuind 

^  L"  =  (Li,a;  :  A)  UL'2 

by  definition 

^  y  =  2: 

by  definition 

^  A"  =  A' 

by  definition 

7(®)  =  ^ 

by  ind.  hyp.  (2)  on  V2 

^  A';  L'  h  M  :  A 

by  ind.  hyp.  (2)  on  V2 

^  {g',M'ly){x)  =  M 

by  definition  Sbaind 

y(a;)  =  M 

by  definition 

rn 

1 _ 1 

Lemma  6.21  (Substitution  lemma  for  typing  relation) 

Let  A';  L'  h  (0;  g)  :  (A;  L),  then  the  following  holds: 

1.  //A;L  h  M  :  A  t/jen  A';L' h  [6»;y](M)  :  A 

2.  //  A;  L  h  “  :  (5  ^  A)  (S')  then  A';  L'  h  [9-  g]  (S)  :  {B  ^  A)  (S') 
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3.  //  A;  L  h  :  (cj)  (S')  then  A';  L'  h  [9-  q]  :  (cj)  (S') 

Proof:  by  induction  over  P  ::  A;  L  h  M  :  A,  ::  A;  L  h  S  :  (_B  ::  A;L  h  17  : 

M(S'): 


L(a;)  =  A 

Case:  V  = - TpVarReg 

A;L  h  a;  :  A 

L(a;)  =  A 

by  assumption 

L  =  Li,a;:AUL2 

by  definition  2.2 

=y  g(^x)  =  M 

by  lemma  6.20  (1) 

=>  A';  L'  h  M  :  A 

by  lemma  6.20  (1) 

^  [0;  q]{x)  =  M 

by  definition  SBVar 

^  A';L'h  [0;^](a;)  :  A 

by  definition 

^ 

Case:  V  = - TpVarMod 

A;L  h  a;  :  A 

A(a;)  =  A 

by  assumption 

A  =  Ai,  a;  :  A  U  A2 

by  definition 

^  0{x)  =  M 

by  lemma  6.20  (2) 

=>  A';  •  h  M  :  A 

by  lemma  6.20  (2) 

^  [0;  q]{x)  =  M 

by  definition  SBVar 

A';  •  h  [6]  q]{x)  :  A 

by  definition 

IV 

by  lemma  6.2 

^  A';L'h  [0;^](a;)  :  A 

by  lemma  6.8  (2) 

S(c)  =  B 

Case:  V  = - TpConst 

A;L  h  c : 5 

S(c)  =  B 

by  assumption 

^  A';L'hc:5 

by  application  of  T pConst 

^  [6»;£<](c)  =  c 

by  application  of  SBConst 

^  A';r'h[0;g]{c):B 

by  definition 

A:  L,  a;  :  Ai  h  M  :  A2 

Case:  V  = - TpLam 

A;  L  h  Aa; :  Ai.  M  :  Ai  — ?■  A2 

A';L'h(0;^)  :  (A;L) 

by  assumption 

L'  >  L' 

by  application  of  CeBase 

^  L',a;  :  Ai  >  L' 

by  application  of  Ceind 

^  A';L',a:  :  Ai  h  {0- g)  :  (A;  L) 

by  lemma  6.18  (2) 

^  (L',  X  :  Ai)(a;)  =  Ai 

by  definition 

A';  L',  a;  :  Ai  h  a;  :  Ai 

by  application  of  T pVarReg 

A';  L',  a;  :  Ai  h  (0;  a;/a;)  :  (A;  L,  a;  :  Ai) 

by  application  of  TSReg 

A';  L',  a;  :  Ai  h  [0]  g,  a;/a;](M)  :  A2 

by  ind.  hyp.  (I) 

A';  L' h  Aa; :  Ai.  [0;  a;/a;](M)  :  Ai  — 7- A2 

by  application  of  TpLam 

^  A';L' h  [6»;£.](Aa;:Ai.M)  :  Ai  ^  A2 

by  inversion  using  SB  Lam 
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Vi 

A;  L  h  Ml  :  A2 


Case:  V  = 

A;  L  h  Ml  M2  :  Ai 
A';L'h[0;^](Mi)  :  A2^  Ai 
A';L'h[0;^](M2)  :  A2 
^  A';L'h[0;^](Mi)  [0;^](M2)  :  Ai 
^  A';L'h[0;^](MiM2)  :Ai 
A:  •  h  M  :  A 

Case:  V  = - TpBox 

A;  L  h  box  M  :  OA 

A';L'h(0;^)  :  (A;L) 

^  A';  •  1“  {0;  •)  :  (A;  •) 

^  A';-h[e;-]{M):A 

A';L'hbox[0;-](M)  :  DA 
^  A';L' h  [0;^](boxM)  :  DA 
Vi 


V2 

A;  L  h  M2  :  A2 


TpApp 


by  ind.  hyp.  (1) 
by  ind.  hyp.  (1) 
by  application  of  T pApp 
by  inversion  using  SBApp 


by  assumption 
by  lemma  6.19 
by  ind.  hyp.  (1) 
by  application  of  T  pBox 
by  definition  SB  Box 


Vo 


Case:  V  = 


A;L  h  Ml  :  DAi 


A,  a;  :  Ai;  L  h  M2  :  A2 


A;  L  h  let  box  x  =  Mi  in  M2  :  A2 
A';L'h[0;^](Mi)  :nAi 
A';L'h(0;^)  :  (A;  L) 

A'  >  A' 

A',  a;  :  Ai  >  A' 

^  A',a::Ai;L'h(0;^)  :  (A;  L) 

^  (A',  X  :  Ai)(a;)  =  Ai 
A',  a;  :  Ai;  •  h  a;  :  Ai 

A',  a;  :  Ai;  L' h  (0,  a;/a;;  :  (A,a;:Ai;L) 

A',  X  :  Ai;  L'  h  [9,  x/x]  (^{Mo)  :  A2 

A';  L'  h  let  box  x  =  [0;  £'](Mi)  in  [6,  x/x]  (^{Mo)  :  A2 

A';  L'  h  [9]  ^](let  box  x  =  Mi  in  M2)  :  A2 


T  pLet 


Case:  V  = 


A-V'rM-.UB  A;L  h  “  :  (5  ^  A)(S') 


T  pCase 


A;  L  h  case  (A)  M  (E)  :  C*  {B,  A,  B) 

A;L  h  M  :  05 
^  A'-,r' h[9-,g]{M)  :OB 
A;LhE  :  (5  ^  A)(S') 

^  A';L'h[0;^](E):(iI^A)(S') 

^  A';  L'  h  case  (A)  [9-,  q]{M)  {[9-,  ^](E))  :  C*  {B,  A,  B) 
^  A';  L'  h  [9-  ^](case  (A)  M  (E))  :  C*  {B,  A,  B) 

A-,rhM:OB  \-oj:a  A;  L  h  :  (a;)(S') 


by  ind.  hyp.  on  Vi 
by  assumption 
by  application  of  CeBase 
by  application  of  Ceind 
by  lemma  6.18  (1) 
by  definition 
by  application  of  T pVarMod 
by  application  of  TSMod 
by  ind.  hyp.  on  V2 
by  application  of  T pLet 
by  definition  SB  Let 


by  assumption 
by  ind.  hyp.  (1) 
by  assumption 
by  ind.  hyp.  (2) 
by  application  of  T pCase 
by  application  of  SBCase 


Case:  V  = 


A;L  h  it  (uj)  M  (n)  :  {uj){B) 


Tpit 


A;L  h  M  :  05 


by  assumption 
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^  A';r' h  [6;  q]{M):  OB 
A;L  h  :  (cj)(S') 

\-  uj  :  a 

^  A';L'hit  M  [e-,e]{M)  ([0;^](^^))  :  {oj){B) 
=>  A';  L'  h  [9-  ^](it  {u)  M  {Q))  :  {uj){B) 


by  ind.  hyp.  (1) 
by  assumption 
by  ind.  hyp.  (3) 
by  assumption 
by  application  of  T pit 
by  application  of  SBIt 


2. 


Case:  8 - TmBase 

A;Lh.:(iI^A)(.) 

A';  L'  h  •  :  (il  ^)(')  by  application  of  TmBase 

A';  L'  h  [9]  ^](-)  :  {B  A)(-)  by  application  of  SBXiEmpty 

A;L  h  “  :  (5  ^  A)(S)  A;  L  h  M  :  C  (5,  A,  5') 

Case:  8  = - Tmind 


A;  L  h  (“  I  c  ^  M)  :  (5  ^  A)(S,  c  :  B') 
A;LhE  :  (5  ^  A)(S) 

^  A';L'h[0;^](E):(iI^A)(S) 

A;L  h  M  :  C  {B,A,B') 

^  A'-V  ^[9-q\{M)-.C  {B,A,B') 

^  A';  L'  h  {[9-  ^](E)  \c^[9-  e\{M))  :  {B  ^  A)(S,  c  :  B') 
^  A';  L'  h  [9;  q\{Z\c^  M)-.{B^  A)(S,  c  :  B') 


by  assumption 
by  ind.  hyp.  (2) 
by  assumption 
by  ind.  hyp.  (I) 
by  application  of  Tmind 
by  application  of  SBXi 


3. 


Case:  T - TrBase 

A;Lh.:M(.) 

A';L'h-:M(-) 

^  A';L'h[0;^](.):M(-) 

A;Lhf2:M(S)  A;  L  h  M  :  ^(5')  ^  ,  , 

Case:  T  = - Trind 

A;  L  h  (f2  I  c  M)  :  (a;)(S,  c  :  B') 

A;L  h  :  (a;)(S) 

^  A';L'h[0;^](f2):(a;)(S) 

A;L  h  M  :  (i^){B') 

^  A';L'h[0;^](M):(a;)(iI') 

^  A';  L'  h  {[9-,  ^](f2)  \c^[9-,  e]{M))  :  (a;)(S,  c  :  B') 
A';T' h  [9;Q]{n\  M)  :  B') 


by  application  of  TrBase 
by  application  of  SBOmegaEmpty 


by  assumption 
by  ind.  hyp.  (3) 
by  assumption 
by  ind.  hyp.  (I) 
by  application  of  Trind 
by  application  of  SBOmega 


□ 


Lemma  6.25  (Type  preservation  of  atomic  and  canonical  types) 

1.  If'^hV  iB  then  yT  h  U  :  5 
A  //T  h  U  fr  5  then  yT  h  U  :  5 


Proof:  by  induction  over  V  V  I  B  and  ::  T  h  U  fl  fl 
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T(a;)  =  B 

Case:  V  = - AtVar 

^  \-  X  IB 

T(a;)  =  B 
•;  T  h  a;  : 

S(c)  =  B 

Case:  V  = - AtConst 

S(c)  =  B 
•;  T  h  c  : 


^  ^  ^  h  ug  ^2  ^  ^1  ^  h  U2  ^  ^2 

T  h  Ui  U2 ; 

T  h  ug  g  ^ 

-g  h  Ui  :  _B2  -Bi 

E  U2  ^  ^2 
^  •  g  h  U2  :  -02 
^  •gEUiU2:g 
Thug 

Case:  V - CanAt 

T  h  U  fr  a 

Thug 
^  -g  h  U  :  a 

T,  a;  :  g  h  U  fr  g 

Case:  D - CanLam 

T  h  Aa;:g.ufr  g  ^  g 

T,  a;  :  _Bi  h  U  fl  g 


AtApp 


-g,  a;  :  _Bi  h  U  :  -B2 
-g  h  Aa; :  Bi .  V  :  Bi  — ?■  B2 


Lemma  6.28  (Goal  types  and  abstraction  closnre  types) 

r(n{T}.g  =  t{b) 

Proof: 

Case:  T  =  •: 

r(n{.}.g  =  r(g 

Case:  T  =  T',  a;  :  B'\ 

r(n{T',  a;  :  B'}.  B)  =  r(n{T'}.  B'  B) 

^  B'}.B)  =  t{B' ^  B) 

^  r(n{T',a;  :  g}.5)  =  r(5) 


by  assumption 
by  application  of  T pVarReg 


by  assumption 
by  application  of  T pConst 


by  assumption 
by  ind.  hyp.  (I) 
by  assumption 
by  ind.  hyp.  (2) 
by  application  of  T pApp 


by  assumption 
by  ind.  hyp.  (I) 


by  assumption 
by  ind.  hyp.  (2) 
by  application  of  TpLam 

□ 


by  definition  5.9 

by  definition  5.9 
by  ind.  hyp. 
by  definition  4.15 
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□ 


Lemma  6.30  (Properties  of  subordination) 

1.  If  a  £  Source{C)  then  a  Mb  t{C) 

2.  If  ai  Mb  «2  md  a2  '^b  then  ai  Mb  «3 

Proof: 

1.  a  G  Source  (C) 

^  a  <c  t{C) 

a  <ls  t{C) 
a  Mb  t(C) 

2.  Case:  a2  Mb  as- 

ai  Mb  (Is 
Case:  a2  =  a^: 

ai  Mb  (Is 


Let  c  :  C  £  T,,  B  a  pure  type. 


by  assumption 
by  definition  4.19 
by  definition  4.20 
by  definition  4.24 

Transitivity 

by  definition 
□ 


Lemma  6.32  (Properties  of  context  subordination)  Let  B  be  a  pure  type. 

//■  T  =  (Ti,  X  :  B')  U  T2  and  T  Mb  t{B)  then  t{B')  Mb  t{B)  implies  that  forall  y  G  Source{B') : 
y  Mb  t{B) 

Proof: 


Case:  T2  =  • 

T  =  (Ti,  X  :  B')U- 
T  =  Ti,  a;  :  5' 

^  '^i,  X  :  B'  Mb  t{B) 

If  t[B')  Mb  t[B)  then  forall  y  G  Source(il')  :  y  Mb  t{B) 

Case:  T2  =  ’^'2-,  z  :  B" ,  x  z 

T  =  (Ti,a;  :  B')  U  {%,  z  :  B") 

T  =  (Ti,a;  :  B')\J%,z-.  B" 

If  t{B')  Mb  t{B)  then  forall  y  G  Source(il')  :  y  Mb  t{B) 


by  assumption 
by  definition  CuBase 
by  assumption 
by  definition  6.31 

by  assumption 
by  definition  Cuind 
by  ind.  hyp. 

□ 


Lemma  6.34  (Property  of  dynamic  typing) 

If  B'  £  PCT[B)  then  a  <b'  z{B')  implies  a  <\b  z{B') 
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Proof:  proof  by  induction  over  B\ 

B'  G  PCT{B) 

B  =  Bi  ^  B2 

PCT(5)  =  {5i}uPCT(52) 

Case:  B'  =  Bi 

a  <B,  t{Bi) 

^  a  <Ibi^_B2 
^  a  <\b  t{B') 

Case:  B'  /  Bi 

B'  G  PCT(52) 
a  <B'  t{B') 

a  <1^2 

a  <31^32  t{B') 
a  <\b  t{B') 


Lemma  6.35  (Independence) 

IfT[B)  -^B  t{C)  then  Source{C)  nX(S;_B) 
Proof:  proof  by  contradiction: 

Suppose  Source(C)  fl  X(S;  _B)  0 

Let  a  G  Source(C)  fl  X(S;  B) 
a  G  Source(C) 
a  -^B  Tic) 
a  G  Y(Y;  B) 
t{B)  -^b  (I 
^  r(il)  Ab  t{C) 

Contradiction 


by  assumption 
by  definition  4.22 
by  definition  4.22 

by  assumption 
by  definition  4.23 
by  definition 

by  assumption 
by  assumption 
by  ind.  hyp. 
by  definition  4.23 
by  definition 

□ 


by  definition 
by  definition 
by  lemma  6.30 
by  definition 
by  definition  4.25 
by  definition  4.24 


□ 


Lemma  6.36  (Properties  of  Join)  Let  c  :  C  £  T,,  a  arbitrary  and  h  cj  :  a 

If  Source{C)  fl  a  =  0  and  t[C)  ^  a  then  (a:)(C)  =  C 
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Proof:  proof  by  induction  on  C\ 

Case:  C  =  a: 

t{C)  =  a 
a  ^  a 

not  defined 
{oj){a)  =  a 

(cj)(C)  =  {oj){a)  =  a  =  C 
Case:  C  =  Ci  ^  C2: 

Source(C)  =  Source(Ci)  U  {'r(Ci)}  U  Source(C2) 
Source(Ci)  C  Source(C) 

Source(Ci)  fl  a  =  0 
t{Ci)  G  Source(C) 

^  t{Ci)  ^  a 
^  {ij){C\)  =  C\ 

Source(C2)  C  Source(C) 

Source(C2)  fl  a  =  0 
^  r(C2)  =  r(Ci  ^  C2) 

^  'r(C'2)  ^  a 
^  M(C2)=C2 
^  {ij){C)  =  {ij){C\^C2) 

=>  {‘^){C)  =  (a;)  (Cl)  ^  {‘^){C2) 

=>  {uj){C)  =  C\  ^  C2 

^  M(c)  =  c 


by  definition  4.15 
by  assumption 

by  definition  4.26 
by  definition 


by  definition  4.16 
by  definition 
by  definition 
by  definition 
by  definition 
by  ind.  hyp. 
by  definition 
by  definition 
by  definition  4.15 
by  assumption 
by  ind.  hyp. 
by  assumption 
by  definition  4.26 
by  definition 
by  assumption 

□ 


Lemma  6.37  (Properties  of  subordination) 

If  t{C)  ^  X(S;  B)  and  t(C)  t{B)  then  t[B)  -^b  t{C) 

Proof:  proof  by  contradiction: 

Case:  r(C)  <b  t{B) 

Suppose  t{B)  <b  t{C) 

^  r(C)GX(S;5) 

Contradiction 


by  assumption 
by  definition  4.25 
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Case:  t(C)  =  t{B) 

Suppose  t{B)  <b  t{C) 

by  assumption 

^  T{C)<Br{B) 

by  definition 

^  r(C)GX(S;5) 

by  definition  4.25 

Contradiction 

□ 
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C  Canonical  form  theorem 

Lemma  7.1  (Self  evaluation) 

1.  //T  h  M  E  :  H  and  T  h  E  fr  H  then  T  h  M  fr  E  :  H 
//  T  h  E  fr  H  then  T  h  E  E  :  H 
3.  //  T  h  E  ;  H  then  T  h  E  E  :  H 


Proof:  by  mutual  induction  over  P  ::  T  h  E  fl  H  and  ::  T  h  E  fl  H  and  JT"  ;;  T  h  E  H 


ThE^a 

1.  Case:  V - CanAt 

T  h  E  fr  a 
T  h  M  E  :  a 

^  T  h  M  fr  E  :  a 


Case:  V  = 


T,  a;  :  Hi  h  E2  fl  -02 

T  h  Aa; :  Hi .  E2  fl  Hi  — ?■  H2 
T  h  M  Aa; :  Hi .  E2  :  Hi  — 7-  H2 


CanLam 


T  >  T 


^  T,  a;  :  Hi  >  T 

T,  a;  :  Hi  h  M  Aa; :  Hi .  E2  :  Hi  — 7-  H2 
^  T,  a;  :  Hi  h  E2  ^  E2  :  H2 
T,  a;  :  Hi  h  a;  a;  :  Hi 
^  T,a;  :  Hi  h  [a;/a;](E2)  E2  :  H2 
T,  a;  :  Hi  h  M  a;  ^  E2  :  H2 
T,  a;  :  Hi  h  M  a;  fl  E2  :  H2 
T  h  Af  fl  Aa; :  Hi .  E2  :  H2 


^  ThE^a 

2.  Case:  E - CanAt 

T  h  E  fr  a 

T  h  E  E  :  a 

T,  a;  :  Hi  h  E2  fr  H2 

Case:  t  = - 


H2 


CanLam 


T  h  Aa;:Hi.E2  fr  Hi 
•;  T,  a;  :  Hi  h  E2  :  H2 

T  h  Aa; :  Hi .  E2  Aa; :  Hi .  E2  :  Hi  — 7-  H2 


T(a;)  =  H 

3.  Case:  T  = - AtVar 

T  h  a;  ^  H 

T  h  a;  a;  :  H 
S(c)  =  H 

Case:  T  = - AtConst 

T  h  c;h 

T  h  c  c  :  H 


by  assumption 
by  application  of  EcAtomic 


by  assumption 
by  application  of  CeBase 
by  application  of  Ceind 
by  lemma  6.26 
by  ind.  hyp.  (2) 
by  application  of  EvVar 
by  definition 
by  application  of  EvApp 
by  ind.  hyp.  (1) 
by  application  of  EcArrow 


by  ind.  hyp.  (3) 


by  lemma  6.25 
by  application  of  EvLam 


by  application  of  EvVar 


by  application  of  EvConst 
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Case:  T  = 


T  h  El  ;  H2  ^  Hi  ^  hV2  it  B2 


T  h  El  E2  ; 

T  h  El  El  :  H2  ^  Hi 
T  h  E2  E2  :  H2 
^  ThE2^E2:H2 

^  T  h  El  E2  El  E2  :  Hi 


AtApp 


by  ind.  hyp.  (3) 
by  ind.  hyp.  (2) 
by  ind.  hyp.  (1) 
by  application  of  EvAtomic 

□ 


Lemma  7.2  (Property  of  evaluation  results) 

1.  //T  h  M  fr  E  :  H  then  T  h  E  fr  H 

2.  //  T  h  M  E  :  a  then  T  h  E  a 

Proof:  by  mutual  induction  over  H  ::  T  h  M  fl  E  :  H  and  ::  T  h  M  E  :  H 

1.  Case:  V - EcAtomic 

T  h  M  fr  E  :  a 

ThE^a 

T  h  E  fl  a 


by  ind.  hyp.  (2) 
by  application  of  Can  At 


T,  a;  :  Hi  h  M  a;  fr  E2  :  H2 

Case:  V - EcArrow 

T  h  M  fl  Aa; :  Hi .  E2  :  Hi  — ?■  H2 

T,  a;  :  Hi  h  E2  fl  H2 

T  h  Aa; :  Hi .  E2  fl  Hi  — ?■  H2 

vL(a;)  =  a 

2.  Case:  £  = - EvVar 

T  h  a;  a;  :  a 

T  h  a;  a 

S(c)  =  a 

Case:  £  = - EvConst 

T  h  c  c  :  a 

T  h  c  a 

Case:  no  rules  for  EvLam 


by  ind.  hyp.  (1) 
by  application  of  Can  Lam 


by  application  of  AtVar 


by  application  of  AtConst 


Hi 


Case:  £  = 


T  h  Ml  Aa; :  A2.  :  A2  ^  a  T  h  M2  E2  :  A2  T  h  [E2/a;](M()  E  :  0 


ThE^a 


Case:  £  = 


T  h  Ml  ^  El  :  H2  — >  a  T  h  Ei  H2  — >  a 


T  h  Ml  M2  E  :  a 

by  ind.  hyp.  (1)  on  Hi 

Hi  H2 

T  h  M2  fl  E2  :  H2 


T  h  Ml  M2  El  E2  :  a 


E  E2  ^  H2 
^  T  E  El  E2  ;  a 


- EvAtomic 

by  ind.  hyp.  (1)  on  H2 
by  application  of  AtApp  on  Hi 


EvApp 
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Vi 


Vo 


T  h  M  (Ml,  M2)  :  a  X  A2  'L  E  Mi  ^  V  :  a 

Case:  E  = - EvFst 


T  h  fst  M  E  :  a 


by  ind.  hyp.  (1)  on  V2 


Vi 


V2 


T  E  M  (Ml ,  M2)  :  Ai  X  a  T  E  M2  E  :  a 

Case:  = - EvSnd 


T  E  snd  M  E  :  a 


TEE^a 

Case:  no  rules  for  EvBox 


by  ind.  hyp.  (1)  on  V2 


Vi 


T  E  Ml  box  M(  :  DA  T  E  [M(/a;](M2)  :a 

Case:  £  = - EvLet 

T  E  let  box  X  =  Mi  in  M2  E  :  a 

T  E  E  a  by  ind.  hyp.  (1)  on  Pi 

Vi 

T  E  M-^  boxM' :  DH  •  E  M' fr  E' :  H  T  E  {H  ^  A;  E ; -KE') E  :  a 

Case:  £  = - EvCase 

T  E  case  (A)  M  (S)  ^  V  :  a 

T  E  E  a  by  ind.  hyp.  (1)  on  Pi 

Vi 

T  E  M  box  M'  :  DP  •  E  M'  fr  E'  :  P  T  E  (cj;  0)(E')  :a 

Case:  £  = - Evit 


T  E  it  (ijj)  M  (0)  E  :  a 


TEE^a 


by  ind.  hyp.  (1)  on  Pi 

□ 


Lemma  7.3  (Evaluation  to  atomic  forms  implies  evaluation  to  canonical  forms) 

//TEM-^E:P  andTEE^P  then  T  E  M  fr  E'  :  P  /or  a  E' 

Proof:  by  induction  over  P: 


Case:  B  =  a\ 

T  E  M  E  :  a 
^  T  E  M  fr  E  :  a 

Case:  B  =  Bi  B 2'- 
Let  T'  =  T,  a;  :  Pi 
^  T'(a;)  =  Pi 

X  ^  X  Bi 

E  a;  /  Pi 
T'  E  a;  fl  Ej;  :  Pi 
^  T'EEc^Pi 


by  assumption 
by  application  of  EcAtomic 

by  definition 
by  definition  2.2 
by  application  of  EvVar 
by  application  of  AtVar 
by  ind.  hyp. 
by  lemma  7.2  (1) 
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T  h  M  E  :  Hi  ^  H2 

by  assumption 

T  >  T 

by  definition  CeBase 

^  T'  >  T 

by  definition  Ceind 

^  T'  h  M  E  :  Hi  ^  H2 

by  lemma  6.26 

T'  h  E  ;  Hi  ^  H2 

by  assumption 

^  T'  h  M  a;  E  E^  :  H2 

by  application  of  EvAtomic 

^  T'hEEc;52 

by  application  of  AtApp 

^  T'  h  M  a;  fr  E'  :  H2 

by  ind.  hyp. 

T,  a;  :  Hi  h  M  a;  fl  E'  :  H2 

by  definition 

^  T  h  M  fr  Aa;:Hi.E' :  Hi  ^  H2 

by  application  of  EcArrow 

□ 

Lemma  7.6  (Type  preservation  for  replacements)  ^  'L  + 

M(s) 

•  h  0  G  [(aa)(S;  •)]  then  •;  T  h  0  : 

Proof:  by  induction  over  S 

Case:  S  =  • 

by  application  of  TrBase 

Case:  S  =  S',  c  :  H 

vI/+.hOG[(c^)(S',c:H;.)] 

by  assumption 

=y  0  =  0'  1  c  H- 7"  M 

by  definition  7.5 

T  h  M  G  [(t^)(H)] 

by  definition  7.5 

^  -T  h  M  :  (cj)(H) 

by  definition  7.4 

^  T+.hO'G  [(c^)(S';.)] 

by  definition  7.5 

^  -ThO' :  (cj)(S') 

by  ind.  hyp. 

^  -T  h  (O' 1  c  M)  :  (cj)(S',c  :  H) 

by  application  of  Trind 

□ 

Lemma  7.8  (Type  preservation  for  matches)  ^  T  +  •  h  S 

(H^A)(S) 

G  [(H  ^  A)(S;  •)]  then  •;  T  h  S  : 

Proof:  by  induction  over  S 

Case:  S  =  • 

.;vI/h.:(H^A)(.) 

by  application  of  TmBase 
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Case:  S  =  S',  c  :  B' 

vI/+.hSG[(H^A)(S',c:H;.)] 

^  S  =  S'  I  c  ^  M 
^  T  h  M  G  [C  {B,A,B')} 

-T  h  M  :  C  (H,  A,H') 

^  T  +  .hS'G  [(H^  A)(S';.)] 

^  -ThS' :  A)(S') 

^  -Th  (S' I  c^M)  :  A)(S',c:H') 


by  assumption 
by  definition  7.7 
by  definition  7.7 
by  definition  7.4 
by  definition  7.7 
by  ind.  hyp. 
by  application  of  Tmind 
□ 


Lemma  7.9  (Weakening  for  logical  relations) 

1.  //  T  h  M  G  [A]  and  T'  >  T  then  T'  h  M  G  [A] 

2.  //  T  h  E  G  I  A|  and  T'  >  T  then  T'  h  E  G  |  A| 
Proof:  by  induction  over  A: 

1.  T  h  M  G  [A] 

^  yT  h  M  :  A 
^  T  h  M  -G  E  :  A 
^  T  h  E  G  |A| 

^  •;T'hM:A 
^  T'  h  M  -G  E  :  A 
^  T'  h  E  G  |A| 

T'  h  M  G  [A] 

2.  Case:  A  =  a: 

T  h  E  fr  a 
T'  h  E  fr  a 
T'  h  E  G  |a| 

Case:  A  =  Ai  — ?■  A2: 

Case:  E  =  \x:Ai.M: 

Let  T"  >  T'  and  T  h  E'  G  |Ai| 

^  T"  >  T 

^  T"h  [E'/a;](M)  G  [A2] 

^  T' h  Aa;:Ai.M  G  |Ai  ^  A2I 
Case:  T  h  E  ^  Ai  ^  A2: 

Let  T"  >  T'  and  T  h  E'  G  |Ai| 

^  T"  >  T 
^  T"hEE'  G  IA2I 
^  T'  h  E  G  |Ai  ^  A2I 


by  assumption 
by  definition  7.4 
by  definition  7.4 
by  definition  7.4 
by  lemma  6.8 
by  lemma  6.26 
by  ind.  hyp.  (2) 
by  definition  7.4 

by  definition  7.4 
by  lemma  6.24  (2) 
by  definition  7.4 


by  lemma  6.3 
by  definition  7.4 
by  definition  7.4 


by  lemma  6.3 
by  definition  7.4 
by  definition  7.4 
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Case:  A  =  DA': 


T  h  box  M  G  nA' 

^  •  h  M  G  |A'| 

T'  h  box  M  G  nA' 

by  assumption 
by  definition  7.4 
by  definition  7.4 

□ 

Lemma  7.10  (Weakening  for  logical  relations  for  replacements) 

//T  +  T  h  0  G  [(t^)(E;  T)]  and  T'  >  T  then  T  +  T'  h  0  G  [(t^)(E;  T)] 

Proof:  by  induction  over  S,T: 

Case:  S  =  •,  T  =  •: 

Q  =  ■ 

by  definition  7.5 

^  T  +  T'  h  •  G 

by  definition  7.5 

Case:  S  =  S',  c  :  H,  T  =  •: 

0  =  0'  1  c  M 

by  definition  7.5 

ThMG  [(c^)(H)] 

by  definition  7.5 

T  +  ThO'G  [(c^)(S';  •)] 

by  definition  7.5 

^  T  +  T'hO'G  [(c^)(S';-)] 

by  ind.  hyp. 

^  T  +  T'hO' 1  c^Mg  [(cj)(S',c:H;-)] 

by  definition  7.5 

Case:  T  =  T',  x  :  B: 

0  =  0'  a;  I— 7-  M 

by  definition  7.5 

ThrrG  [(c^)(H)] 

by  definition  7.5 

T  +  ThO'G  [(c^)(S;T')] 

by  definition  7.5 

^  T'hrrG  [(c^)(H)] 

by  lemma  7.9  (1) 

^  T  +  T'hO'G  [(cj)(S;T')] 

by  ind.  hyp. 

^  T  + T' h  0' 1  a;  M  G  [(cj)(S;T',a;  :  H)] 

by  definition  7.5 

□ 


Lemma  7.11  (Weakening  for  logical  relations  for  matches) 

//T  +  T  h  "  G  1{B  ^  ^)(S;  ^)]  and  T'  >  T  then  T  +  T'  h  E  G  [(H  ^  ^)(S;  ^)] 
Proof:  by  induction  over  S,T: 

Case:  S  =  •,  T  =  •: 

^  'L  +  §'h.G[(H^A)(.;.)l 


by  definition  7.7 
by  definition  7.7 
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Case:  S  =  S',  c  :  B' ,  T  =  •: 


S  =  S'  1  c  M 

by  definition  7.7 

TEMg  [C  (H,A,H')] 

by  definition  7.7 

T  +  ThS'  G  [(H^  A)(S';-)] 

by  definition  7.7 

^  T  +  T'hS'G  [(H  ^  A)(S';-)] 

by  ind.  hyp. 

^  T  +  T' h  S' 1  c^  M  G  [(H  ^  A)(S',c  :  H';-)] 

by  definition  7.7 

Case:  T  =  T',  a;  :  B'\ 

S  =  S'  a;  I— 7-  M 

by  definition  7.7 

Tha^G[C(H,A,H')] 

by  definition  7.7 

T  +  ThS'  G  [(H  ^  A)(S;T')] 

by  definition  7.7 

^  T'  h  M  G  [C  (H,  A,  B')} 

by  lemma  7.9  (1) 

=>  T  +  T'hS'G  [(H^  A)(S;T')] 

by  ind.  hyp. 

^  T  +  T'  h  S'  1  a;  M  G  [(H  ^  A)(S;  T',  a;  :  H')] 

by  definition  7.7 

□ 

=  Si,  c  :  H  U  S2  and 

Lemma  7.12  (Access  to  logical  relations  for  replacements  I)  IfTi- 
T  +  T  h  0  G  [(c^)(S;  T)]  then  T  h  M  G  [(c^)(5)]  and  M  =  {oj;  0)(c) 

Proof:  by  induction  over  the  structure  of  T,  S2: 

Case:  T  =  •: 

Case:  S2  =  •: 

S  =  Si,  a;  :  H 

by  definition  CuBase 

=y  0  =  0'  1  c  H- ?■  M 

by  definition  7.5 

(oa;  0)  (c)  =  M 

by  definition  ElVar 

T  h  M  G  [(t^)(-B)] 

Case:  S2  =  S2,  c'  :  B': 

by  definition  7.5 

S  =  Si,  a;  :  H  U  S2,  y  :  B' 

by  definition 

S  =  (Si,  a;  :  H  U  S2),  y  :  B' 

by  definition  Cuind 

T  h  M  G  [(t^)(-B)] 

by  ind.  hyp. 

M  =  {lo'  0)  (c) 

by  ind.  hyp. 

Case:  T  =  T',  y  :  B': 

T  h  M  G  [(t^)(-B)] 

by  ind.  hyp. 

M  =  (oa;  0)  (c) 

by  ind.  hyp. 

□ 

Lemma  7.13  (Access  to  logical  relations  for  replacements  II)  If  S| 

(c)  is  undefined  and 

T  +  T  h  0  G  [(a;)(S;  T)]  then  0(c)  is  undefined 
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Proof:  by  induction  over  the  structure  of  T,  S: 

Case:  T  =  •: 


Case:  S  =  •: 


S(c)  is  undefined 

by  definition 

Case:  S  =  S',  c'  :  B': 

S(c)  is  undefined 

by  assumption 

(S',  c'  :  B'){c)  is  undefined 

by  definition 

S'(c)  is  undefined 

by  definition 

0(c)  is  undefined 

by  ind.  hyp. 

Case:  T  =  T',  y  :  B': 

0(c)  is  undefined 

by  ind.  hyp. 

□ 

Lemma  7.14  (Access  to  logical  relations  for  replacements  III) 

//T  =  Ti,  a;  :  HUT2  and 

T  +  T  h  0  G  [(cj)(S;T)]  then  T  h  m  G  [(t^)(-B)]  and  T  =  Ti, 

u  :  (aa)(H)  U  T2  and  u  = 

(cj;0)(a;) 

Proof:  by  induction  over  the  structure  of  T2: 

Case:  T2  =  •: 

T  =  Ti,  a;  :  H 

by  definition  CuBase 

=y  0  =  0'  a;  I— 7-  M 

by  definition  7.5 

(oa;  0)(a;)  =  u 

by  definition  ElVar 

^  TharG  [(c^)(H)] 

by  definition  7.5 

T  h  M  M  :  (aa)(_B) 

by  definition  7.4 

^  ^{u)  =  {u){B) 

by  inversion  using  EvVar 

=>  T  =  §1,  M  :  (cj)(H)  U  §2 

by  definition  Cuind 

Case:  T2  = 

T  =  Ti,  a;  :  H  U  T'2,  y  :  B' 

by  definition 

^  T  =  (Ti,  a;  :  H  U  T'2),  y  :  H' 

by  definition  Cuind 

^  TharG  [(c^)(H)] 

by  ind.  hyp. 

^  T  =  Ti,ai  :  (cj)(H)  UT'2 

by  ind.  hyp. 

u  =  (uj]  0)(a;) 

by  ind.  hyp. 

□ 


Lemma  7.15  (Access  to  logical  relations  for  matches  I)  IfT,  =  Si,c  :  B'[JT,2  undT  +  T  h 
E  G  A)(S;T)]  then  T  h  M  G  [C  {B,A,B')}  and  M  =  {B  ^  A;“;T'}(c)  for  an 

arbitrary  Tb 
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Proof:  by  induction  over  the  structure  of  T,  S2: 

Case:  T  =  •: 


Case:  S2  =  •: 


S  =  Si,  a;  : 

by  definition  CuBase 

^  c  M 

by  definition  7.7 

^  {H  ^  A;S;T'}(c)  =  M 

by  definition  SeVar 

^  TEMg  [C  {B,A,B)\ 

by  definition  7.7 

Case:  S2  =  S2,  y  :  B"\ 

S  =  Si,a;:H'US'2,y:H" 

by  definition 

^  S=  (Si,a;:H'US'2),y:H" 

by  definition  Cuind 

^  T  h  M  G  [C  (H,  A,H')] 

by  ind.  hyp. 

^  M  =  {H  ^  A;S;T'}(c) 

by  ind.  hyp. 

Case:  T  =  T',  y  :  B": 

^  T  h  M  G  [C  (H,  A,H')] 

by  ind.  hyp. 

^  M  =  {H  ^  A;S;T'}(c) 

by  ind.  hyp. 

□ 

Lemma  7.16  (Access  to  logical  relations  for  matches  I)  If'^  = 

Ti ,  a;  :  B'U'^2  and  T+T  h 

S  G  [(H  ^  A)(S;  T)]  then  T  h  m  G  [C  (H,  A,  B')}  and  T  =  Ti 

,u:C  {B,  A,  B')  U  T2  and 

u  =  {H  A;  S;  T'}(a;)  for  an  arbitrary  Tb 

Proof:  by  induction  over  the  structure  of  T2: 

Case:  T2  =  •: 

T  =  Ti,  a;  :  H' 

by  definition  CuBase 

S  =  S'  a;  I— 7-  M 

by  definition  7.7 

^  {H  ^  A;  S;  T'}(a;)  =  M 

by  definition  SeVar 

^  TEmG  [C  {B,A,B')} 

by  definition  7.7 

T  h  M -G  M  :  C  (H,  A,H') 

by  definition  7.4 

^  ^{u)  =C  {B,A,B') 

by  inversion  using  EvVar 

T  =  Ti,m  :  C  (H,  A,H')  U  T2 

by  definition  Cuind 

Case:  T2  =  ^'2,^  :  B”: 

T  =  Ti,  a;  :  H'  U  T'2,  y  :  H" 

by  definition 

^  T=  (Ti,a;:H'UT'2),y:H" 

by  definition  Cuind 

^  TEmG  [C  (H,A,H')] 

by  ind.  hyp. 

^  T  =  Ti ,  M  :  C  (H,  A,  H')  U  T'2 

by  ind.  hyp. 

^  M  =  {H  ^  A;  S;  T'}(a;) 

by  ind.  hyp. 
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□ 

Lemma  7.17  (Logical  relations  and  canonical  forms) 

1.  //  T  h  M  G  [H]  then  T  h  M  fr  E  :  H 
A  //  T  h  E  ;  H  then  T  h  E  G  |H| 

Proof:  by  induction  over  B\ 

Case:  B  =  a: 


1.  T  h  M  G  H 

by  assumption 

^  T  h  M  -G  E'  :  a  and  T  h  E'  G  |a| 

by  definition  7.4 

^  T  h  E'  fr  a 

by  definition  7.4 

^  ThE'^a 

by  inversion  using  Can  At 

^  T  h  Mfr  E  :  a 

by  lemma  7.3 

2.  T  EE;  a 

by  assumption 

T  h  E  fl  a 

by  application  of  Can  At 

^  T  h  E  G  a 

by  definition  7.4 

Case:  B  =  Bi  ^  B2'. 

1.  T  h  M  G  [Hi  ^  H2] 

by  assumption 

•;  T  h  Af  :  Hi  — ?■  H2 

by  definition  7.4 

T  h  Af  E  :  Hi  — ?■  H2 

by  definition  7.4 

^  T  h  E  G  |Hi  ^  H2I 

by  definition  7.4 

Case:  V  =  Xx:Bi.M' 

by  definition  7.4 

Let  T'  =  T,  a;  :  Hi 

by  definition 

^  T'(a;)  =  Hi 

by  definition 

T'  h  a;  a;  :  Hi 

by  application  of  EvVar 

h  a;  [,  Hi 

by  application  of  AtVar 

^  T'  h  a;  G  Hi 

by  ind.  hyp.  (2) 

^  T'h[a;/a;](AT')  G  [H2] 

by  definition  7.4 

^  T' h  [a;/a;](AT')  -G  E' :  H2 

by  definition  7.4 

^  T'  EE'  G  IH2I 

by  definition  7.4 

^  T  >  T 

by  application  of  CeBase 

^  T'  >  T 

by  application  of  Ceind 

^  T'  E  AT  -G  E  :  Hi  ^  H2 

by  lemma  6.26 

^  T'  E  AT  a;  -G  E'  :  H2 

by  application  of  EvApp 

^  •;T'Ea;:Hi 

by  application  of  T pVarReg 

^  -T' E  AT  :  Hi  ^  H2 

by  lemma  6.8  (2) 

^  •;  T'  E  AT  a;  :  H2 

by  application  of  T pApp 

^  T'  E  AT  a;  G  [H2] 

by  definition  7.4 

^  T'  E  AT  a;  fr  E'  :  H2 

by  ind.  hyp.  (1) 

T,  a;  :  Hi  E  AT  a;  fl  E'  :  H2 

by  definition 

^  T  E  AT  fr  Aa;:Hi.E' :  H2 

by  application  of  EcArrow 
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Case:  h  C  ;  ^  ^2 

by  definition  7.4 

Let  ,  X  :  Bi 

by  definition 

^  ^r'(a;)  =  Bi 

by  definition 

'L'  h  a;  M-  a;  :  _Bi 

by  application  of  EvVar 

'^'  \-  X  Bi 

by  application  of  AtVar 

'^'  \-  X  Vx  '■  Bi 

by  lemma  7.3 

by  application  of  CeBase 

by  application  of  Ceind 

^  'r  M  ^V  -.Bi^  B2 

by  lemma  6.26 

^  h  M  a;  C  T4  :  ^2 

by  application  of  EvAtomic 

^  ^>'hVxABi 

by  lemma  7.2  (1) 

^  ^''hCK  G  |5i  ^^2! 

by  definition  7.4 

^  •;  ^’' h  a;  :  _Bi 

by  application  of  T pVarReg 

^  'r  M  ■.  Bi  ^  B2 

by  lemma  6.8  (2) 

=>  'r  M  X  ■.  B2 

by  application  of  T pApp 

^  h  M  a;  G  [^2] 

by  definition  7.4 

^  h  M  a;  fr  C'  :  ^2 

by  ind.  hyp. 

=^  'L,  a;  :  _Bi  h  M  a;  fl-  C'  :  _B2 

by  definition 

^  ^  'r  M  \x-.Bi.V'  ■.  B2 

by  application  of  EcArrow 

2.  iBi^  B2 

Let  'L'  context,  s.t.  'L'  >  'L 

Let  V  s.t.  hV  i[  Bi 

=>  ^'hV  IBi^  B2 
=>  ^'hVV'iB2 
=>  ^'hVV'  e  \B2\ 

=>  e\Bi^  B2\ 

by  lemma  6.24 
by  application  of  AtApp 
by  ind.  hyp.  (2) 
by  definition  7.4 

□ 

Lemma  7.18  (Types  of  atomic  objects  are  pure) 

//"  'L  h  C  A  then  A  is  pure. 

Proof:  by  induction  over  P  ::  'L  h  P  ),  A: 

^’(a;)  =  A 

Case.  V  AtVar 

^  \-  X  i  A 

^’(a;)  =  B 

by  assumption  on  T 

A  =  B  and  A  is  pure 

by  definition  signature 

S(c)  =  A 

Case.  V  AtConst 

h  c  ;  A 

S(c)  =  B 

by  assumption  on  S 

A  =  B  and  A  is  pure 

by  definition  context 
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Case:  V  = 


Vi 


A 


V2 

h  V2  it  B2 


T  h  El  E2  ;  A 


_B2  — 7-  A  is  pure 
A  is  pure 


AtApp 


by  ind.  hyp.  on  Vi 
by  definition  pure  types 

□ 


Lemma  7.19  (Well-typedness  of  logical  relations) 

//T  h  E  G  |A|  then  yT  h  E  :  A 
Proof:  by  induction  over  A: 


Case:  A  =  a: 


T  h  E  G  a 

by  assumption 

T  h  E  fl  a 

by  definition  7.4 

^  yT  h  E  :  a 

by  lemma  6.25 

Case:  A  =  Ai  — ?■  A2: 

E  E  G  |Ai  ^  A2I 

by  assumption 

Case:  E  =  Xx:Ai.M 

by  definition  7.4 

Let  T'  =  T,  a;  :  Ai 

by  definition 

^  T'(a;)  =  Ai 

by  definition 

^  T'  h  a;  ;  Ai 

by  application  of  AtVar 

^  T'  h  a;  G  Ai 

by  lemma  7.17 

^  T' h  [a;/a;](M)  G  [A2] 

by  definition  7.4 

- - 

=M 

•;  T,  a;  :  Ai  h  M  :  A2 

by  definition  7.4 

•;  T  h  \x  :  Ai.  M  :  Ai  — ?■  A2 

by  application  of  TpLam 

Case:  T  h  E  ^  Ai  ^  A2 

by  definition  7.4 

TEE),  Bi  — ?■  B2  and  Ai  =  Hi,  A2  =  B2 

by  lemma  7.18 

•;  T  E  E  :  Hi  — 7-  H2 

by  lemma  6.25 

Case:  A  =  DA': 

T  E  E  G  IDA'I 

by  assumption 

=y  E  =  box  M 

by  definition  7.4 

=>  T  E  box  M  G  InA'I 

by  definition  7.4 

^  •  E  M  G  [A'] 

by  definition  7.4 

^  •  E  M  :  A' 

by  definition  7.4 

^  •;  T  E  box  M  :  DA' 

by  application  of  T  pBox 
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□ 


Lemma  7.20  (Logical  relations:  Self  evaluation  of  values) 

//T  h  E  G  |A|  then  T  h  E  -G  E  :  A 

Proof:  by  induction  over  A: 

Case:  A  =  a: 

T  h  E  G  |a| 

T  h  E  fl  a 
^  T  h  E  -G  E  :  a 

Case:  A  =  Ai  — ?■  A2: 

E  E  G  |Ai  ^  A2I 

Case:  E  =  Xx:Ai.M 

•;  T  h  Xx :  A^.  M  :  Ai  — ?■  A2 
T  h  Aa; :  Ai.  M  Aa; :  Ai.  M  :  Ai  — 7- A2 
Case:  T  h  E  ^  Ai  ^  A2 

TEE),  Bi  — ?■  B2  and  Ai  =  Hi,  A2  =  B2 
=>  TEE-gE:Hi^H2 

Case:  A  =  Ai  X  A2: 

E  E  G  |Ai  X  A2I 
^  E=(Mi,M2) 

T  E  Ml  G  [Ai] 

^  T  E  M2  G  [A2] 

•;  T  E  Ml  :  Ai 
•;  T  E  M2  '■  A2 

T  E  (Afi ,  M2')  (Afi,  M2')  :  Ai  x  A2 
Case:  A  =  DAE 

T  E  E  G  IDA'I 
=y  E  =  box  M 

T  E  box  M  G  |nA'| 

•;  T  E  box  M  :  DA' 

^  •;-EM:A' 

T  E  box  M  ^  box  M  :  DA' 


by  assumption 
by  definition  7.4 
by  lemma  7.1 


by  assumption 

by  definition  7.4 
by  lemma  7.19 
by  application  of  EvLam 
by  definition  7.4 
by  lemma  7.18 
by  lemma  7.1 


by  assumption 
by  definition  7.4 
by  definition  7.4 
by  definition  7.4 
by  definition  7.4 
by  definition  7.4 
by  application  of  EvPair 


by  assumption 
by  definition  7.4 
by  definition  7.4 
by  lemma  7.19 
by  inversion  using  T pBox 
by  application  of  EvBox 

□ 
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Lemma  7.21  (Logical  relation  subsumption) 

If'^hV  e\A\  then  T  h  E  G  [A] 


Proof:  T  h  E  G  |A| 

by  assumption 

^  T  h  E  -G  E  :  A 

by  lemma  7.20 

^  -TEEM 

by  lemma  7.19 

^  T  h  E  G  [A] 

by  definition  7.4 
□ 

Lemma  7.22  (Logical  relation  is  closed  under  application) 

//T  h  Ml  G  [A2  ^  Ai]  and  T  h  M2  G  [A2]  then  T  h  Mi  M2  G  [AJ 

Proof:  T  h  Ml  G  [A2  ^  AJ 

by  assumption 

•;  T  h  Ml  :  A2  — ?■  Ai 

by  definition  7.4 

T  h  Ml  El  :  A2  — 7-  Ai 

by  definition  7.4 

^  T  h  El  G  IA2  ^  All 

by  definition  7.4 

T  h  M2  G  [A2] 

by  assumption 

•;  T  h  M2  :  A2 

by  definition  7.4 

T  h  M2  E2  :  A2 

by  definition  7.4 

^  'L  E  E2  G  A2 

by  definition  7.4 

•;  T  E  Ml  M2  :  Ai 

by  application  of  T pApp 

Case:  Ei  =  \x  ■.  A2.  M[ 

^  'I'E[E2/a:](M()  G  [All 

by  definition  7.4 

^  •;^E[E2/a:](M()  :  Ai 

by  definition  7.4 

^  T  E  [E2/a;](M() -G  E  :  Ai 

by  definition  7.4 

T  E  E  G  Ai 

by  definition  7.4 

^  T  E  Ml  M2  -G  E  :  Ai 

by  application  of  EvApp 

^  T  E  Ml  M2  G  [Ai] 

by  definition  7.4 

Case:  T  E  El  A2  — ^  Ai 

T  E  El  ),  B2  — y  Bi  and  A2  =  -B2,  Ai  =  Hi 

by  lemma  7.18 

^  TEM2^E2':H2 

by  lemma  7.17  (1) 

^  TEE2'^H2 

by  lemma  7.2  (1) 

^  TEEiE2'g  |Hi| 

by  definition  7.4 

^  T  E  Ml  M2  -G  El  E2'  :  Hi 

by  application  of  EvAtomic 

^  T  E  Ml  M2  G  [Hi] 

by  definition  7.4 

□ 


Lemma  7.27  (Modal  substitution  restriction) 
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//"  T  h  ^  G  [A;  F]  then  •  h  •  G  [A;  •] 

Proof:  T  h  ^  G  [A;  F] 

^  ^OelAj 

=>  •  ^  •  G  M 

^  •  I-  6»;  •  G  [A;  •] 


by  assumption 

by  definition  7.23 

by  definition  7.24 

by  definition  7.25 
□ 


Lemma  7.28  (Well-typedness  of  modal  substitutions  in  logical  relations:) 

//h^G  [A]  then-,-^{0-,-)  :  (A;-) 


Proof:  by  induction  over  A: 

Case:  A  =  •: 

^  ^  G  [•] 

^  e  =  - 

^  (•;  •)  :  (•;  •) 

Case:  A  =  A',  x  :  A: 
h0e  [A',  a;  :  A] 

^  0  =  0',M/x 
^  •  h  M  G  [A] 

^  h  G  [A'] 

^  •  h  (6»';  •)  :  (A';  •) 

^  •  h  M  :  A 

^  ■;-\-{0',M/x;-)  :  (A',  a;  :  A;  •) 
^  •  h  (6»;  •)  :  (A;  •) 


by  assumption 
by  definition  7.23 
by  application  of  TSBase 

by  assumption 
by  definition  7.23 
by  definition  7.23 
by  definition  7.23 
by  ind.  hyp. 
by  definition  7.4 
by  application  of  TSMod 
by  definition 

□ 


Lemma  7.29  (Well-typedness  of  arbitrary  substitutions  in  logical  relations:) 

//’  'L  E  ^  G  |r|  then  •;  T  h  (•;  g)  :  (•;  F) 

Proof:  by  induction  over  F: 

Case:  F  =  •: 

T  h  ^  G  I'l  by  assumption 

Q  =  ■  by  definition  7.24 

•;  T  h  (•;  •)  :  (•;  •)  by  application  of  TSBase 
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Case:  F  =  F',  a;  :  A: 

T  h  G  |r',  X  :  A\ 

Q  =  Mjx 

T  h  M  G  |A| 

^  T  h  M  G  [A] 

^  h  G  |r'| 

^  :  (sn 

^  -T  h  M  :  A 

^  •;  T  h  (•;  ^',  M/s)  :  (•;  F',  a;  :  A) 

^  •;  ^  1“  (•;  e)  ■  (•;  r) 


by  assumption 
by  definition  7.24 
by  definition  7.24 
by  lemma  7.21 
by  definition  7.24 
by  ind.  hyp. 
by  definition  7.4 
by  application  of  TSReg 
by  definition 

□ 


Lemma  7.30  (Combination  of  two  snbstitntions) 


■  (A;-)  and -T  h  (•;£<)  :  (yF)  tden  •;  T  h  (6»;  £<)  :  (A;r) 

Proof:  by  induction  over  P  •  h  (d;  •)  :  (A;  •) 

Case:  V  = - TSBase- 

•;  •  ^  (•;  •)  :  (•;  •) 

•;  T  h  (•;  ^)  :  (yF)  by  assumption 

Vi  V2 

•  h  M  :  A  •  h  {0'-  •)  :  (A';  •) 

Case:  V  = - TSMod: 

•;.h(d',M/a:;.)  :  (A',  a:  :  A;  •) 

•;Th(6»';£<)  :  (A';r)  by  ind.  hyp. 

•;  T  h  (d;  g)  :  (A;  F)  by  application  of  TSMod 

□ 


Lemma  7.31  (Well-typedness  of  snbstitntions  in  logical  relations:) 


//  T  h  6»;  G  [A;  F]  then  •;  T  h  (6»;  £.)  :  (A;  F) 

Proof:  T  h  d;  ^  G  [A;  F] 

^  ^OelAj 

T  h  G  |r| 

^  •  I-  (6»;  •)  :  (A;  •) 

^  •;  T  h  (•;  g)  :  (•;  F) 

^  :  (A;r) 


by  assumption 

by  definition  7.25 

by  definition  7.25 

by  lemma  7.28 

by  lemma  7.29 

by  lemma  7.29 
□ 
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Lemma  7.32  (Properties  of  logical  relation  for  modal  contexts) 

If  A  =  (Ai,  X  •.  A)  \J  A2  and  h  6  £  [A]  then  0{x)  =  M  and  •  h  M  G  [A] 
Proof:  by  induction  over  A2 
1.  Case:  A2  =  • 


D 

II 

< 

by  assumption 

< 

II 

< 

by  definition  CuBase 

^0elA^,x:A} 

by  assumption 

0  =  0i,M/x 

by  definition  7.23 

^  •  h  M  G  [A] 

by  definition  7.23 

^  {0i,M/x){x)  =  M 

by  definition  Sbaind 

0{x)  =  M 

by  definition 

Case:  A2  =  A2,  y  :  A',  x  y 

A  =  (Ai,a;  :  A)  U  (A'2,y  :  A) 

by  assumption 

A  =  (Ai,  a;  :  A)  U  A2,  y  :  A' 

by  definition  Cuind 

h  6»  G  [(Ai,a;  :  A)  U  A'2,y  :  A'] 

by  assumption 

^  0  =  0[,M'/y 

by  definition  7.23 

=>  •  h  M'  G  [A'] 

by  definition  7.23 

^  'r  0[  e  [(Ai,  a;  :  A)  U  Ay 

by  definition  7.23 

^  6»ya;)  =  M 

by  ind.  hyp. 

^  •  h  M  G  [A] 

by  ind.  hyp. 

^  {0[,M'/y){x)  =  M 

by  definition  Sbaind 

0{x)  =  M 

by  definition 

□ 


Lemma  7.33  (Properties  of  logical  relation  for  arbitrary  contexts) 

IfV  =  (Fi,  a;  :  A)  U  r2  and  T  h  ^  G  F  then  g(x)  =  M  and  T  h  M  G  A 

Proof:  by  induction  over  r2 

1.  Case:  r2  =  • 

II 

c 

by  assumption 

II 

by  definition  CuBase 

T  h  G  |ri,a;  :  A| 

by  assumption 

^  Q  =  Qi,  M/x 

by  definition  7.24 

T  h  M  G  A 

by  definition  7.24 

{qi,  M / x){x)  =  M 

by  definition  Sbaind 

=y  q(^x)  =  M 

by  definition 
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Case:  r2  =  F^,  y  :  A',  x  ^  y 

r={r^,x:A)U{r'„y:A') 
r  =  (ri,a;:A)ur',y:A' 

'L  E  y  G  I  (Fi ,  a;  :  A)  U  r2 ,  y  :  A' 
^  Q  =  Q'i,M'ly 
=>  T  h  M'  G  |A'| 

^  G  |(ri,a;  :  A)ur'2| 

^  q'i{x)  =  M 
=>  T  h  M  G  |A| 

^  {e[,M'/y){x)  =  M 
q(^x)  =  M 


by  assumption 
by  definition  Cuind 
by  assumption 
by  definition  7.24 
by  definition  7.24 
by  definition  7.24 
by  ind.  hyp. 
by  ind.  hyp. 
by  definition  Sbaind 
by  definition 

□ 


Lemma  7.34  (Properties  of  logical  relation  for  contexts) 


1.  If  A  =  (Ai,  a;  :  A)  U  A2  and  T  h  y  G  [A;  F]  then  6(x)  =  M  and  •  h  M  G  [A] 

2.  //’  F  =  (Fi,  a;  :  A)  U  r2  and  T  h  y  G  [A;  F]  then  q{x)  =  M  and  T  h  M  G  |A| 


Proof:  1.  T  h  y  G  [A;  F] 

^  E0G[A] 

^  e{x)  =  M 
=>  •  h  M  G  [A] 


by  assumption 
by  definition  7.25 
by  lemma  7.32 
by  lemma  7.32 


2.  Th0;yG[A;r] 

^  T  h  y  G  |r| 
=y  y(a;)  =  M 
=>  T  h  M  G  |A| 


by  assumption 
by  definition  7.25 
by  lemma  7.33 
by  lemma  7.33 
□ 


Lemma  7.35  (Extending  logical  relations  for  contexts)  ^  T  h  y  G  [A;  F]  and  T  h  E  G 

|A|  then  T  h  y,  E/a;  G  [A;  F,  a;  :  A] 


Proof:  T  h  y  G  [A;  F] 

^  E0G[A] 

^  T  h  y  G  |r| 

^  E  y,  V/x  G  |r,  a;  :  A| 

T  h  y,  E/a;  G  [A;  F,  a;  :  A] 


by  assumption 

by  definition  7.25 

by  definition  7.25 

by  definition  7.24 

by  definition  7.25 
□ 


Lemma  7.36  (Identity  snbstitntion  for  arbitrary  context) 

For  all  T  the  following  holds:  T  h  idij  G  I'l’l 


92 


C  CANONICAL  FORM  THEOREM 


Proof:  by  induction  over  T: 

Case:  T  =  •: 

•  h  •  G  M 

•  hid.  G  H 

Case:  T  =  T',  x  :  B: 

h  idv];/  G  l^''! 

^  T',a;  :  H  h  id^/  G  l^''! 

^',x  :  B  =  ^',x  :  B  U  ■ 

(T',  X  ■.  B){x)  =  B 
T',  X  ■.  B  \-  X  B 
T',  a;  :  H  h  a;  G  |H| 

T',  a;  :  H  h  idij/,  xjx  d  |T',  x  :  B 
=>  T',  a;  :  H  h  id^/^^-B  G  I'L',  a;  :  H| 


Lemma  7.37  (Identity  substitution  for  context) 

For  all  T  the  following  holds:  T  h  •;  idij  G  [•; '!’] 

Proof:  T  h  idij  G  I'Ll 

h  •  G  [•] 

'L  h  •;  idijr  G  [•;  'L] 


Lemma  7.38  (Strengthening  lemma) 

Let  A;r  U  r*  U  f  h  (id^;idr  U  £<U  idp)  :  (A;  F  U  f  U  f ) 

1.  If  A-,T  Lit  M  :  A  then  M  =  [id^;  idp  U  ^  U  idp](M) 

2.  //"  A;  F  U  f  h  E  :  (H  A)  (S')  then  S  =  [id^ ;  idp  U  ^  U  idp]  (S) 

3.  //"  A;  F  U  f  h  0  :  (aa)(S')  then  Q  =  [id^;  idp  U  ^  U  idp](0) 

Proof:  by  induction  over  P  ::  A;ruf  h  M  :  A,  P  ::  A;ruf 

A;ruf  h  0  :  (cj)(S'): 

ruf(a;)  =  A 

1.  Case:  V  =  - - ^ - TpVarReg; 

A;  F  U  f  h  a;  :  A 

ruf(a;)  =  A 

ri,a;:Aur2orri,a;:Aur2 


by  definition  7.24 
by  definition  IdEmpty 

by  ind.  hyp. 
by  lemma  7.26  (1) 
by  definition  CuBase 
by  definition  2.2 
by  application  of  AtVar 
by  lemma  7.17  (2) 
by  definition  7.24 
by  application  of  IdNonEmpty 

□ 


by  lemma  7.36 

by  definition  7.23 

by  definition  7.25 
□ 


h  S  :  (P  ^  ^)(S')  and  P  :: 


by  assumption 
by  lemma  6.7 


C  CANONICAL  FORM  THEOREM 


93 


(a)  r  =  ri,a;:Aur2: 

X  =  [id^ ;  idr  U  ^  U  idp]  (x) 

(b)  f  =  Fi,  a;  :  A  U  rV 

X  =  [id^ ;  idr  U  ^  U  idp]  (x) 

A(x)  =  A 

Case:  V  =  - - ; - TpVarMod; 

A;  F  U  f  h  a;  :  A 

A(a;)  =  A 

X  =  [id^ ;  idr  U  ^  U  idp]  (a;) 

S(c)  =  B 

Case:  V  = - TpConst; 

A;ruf  hc:H 

c  =  [id^ ;  idr  U  ^  U  idp]  (c) 

A;  F  U  f ,  a;  :  Ai  h  M  :  A2 

Case:  V  =  - - : - TpLam; 

A;ruf  h  Xx:Ai.M  :  Ai  ^  A2 
M  =  [id^;idr  U  £<  U  idp^^.^J(M) 

M  =  [id^;  idr  U  ^  U  idp,  a;/a;](M) 

\x  :  Ai.  M  =  Xx  :  Ai.  [id^;  idr  U  ^  U  idp,  a;/a;](M) 
Xx  :  Ai.  M  =  [id^;  idr  U  ^  U  idp](Aa; :  Ai.  M) 


by  definition 
by  definition 


by  assumption 
by  definition 


by  definition  SBConst 


by  ind.  hyp.  (1) 
by  definition  IdNonEmpty 
by  definition 
by  definition  SBLam 


A;  F  U  F  h  Ml  :  A2  ^  Ai  A;  F  U  F  h  M2  :  A2 
Case:  V  = - TpApp; 

A;  F  U  f  h  Ml  M2  :  Ai 
Ml  =  [id^;  idr  U  ^  U  idp]  (Mi) 

M2  =  [id^ ;  idr  U  U  idf  ]  {M2) 

Ml  M2  =  [id^ ;  idr  U  U  idp]  (Mi  M2) 

A:  F  U  f  h  Ml  :  Ai  A:  F  U  f  h  M2  :  A2 
Case:  V  =  M - ^ - TpPair; 

A;ruf  h  (Ml,  M2)  :  Ai  X  A2 
Ml  =  [id^;  idr  U  ^  U  idp]  (Mi) 

M2  =  [id^ ;  idr  U  U  idp]  (M2) 

^  {Ml,  M2)  =  [id^;idr  U  £<  U  idp]((Mi,  M2)) 

A;  F  U  f  h  M  :  Ai  X  A2 
Case:  V  = - TpFst; 

A;  F  U  f  h  fst  M  :  Ai 
M  =  [id^ ;  idr  U  ^  U  idp]  (M) 

fst  M  =  [id^ ;  idr  U  ^  U  idp]  (fst  M) 


by  ind.  hyp.  (1) 
by  ind.  hyp.  (1) 
by  definition  SBApp 


by  ind.  hyp.  (1) 
by  ind.  hyp.  (1) 
by  definition  SBPair 


by  ind.  hyp.  (1) 
by  definition  SB  Fst 


A;  F  U  F  h  M  :  Ai  X  A2 

Case:  V  =  — - : - TpSnd; 

A;  F  U  f  h  snd  M  :  A2 
M  =  [id^ ;  idr  U  ^  U  idp]  (M) 

snd  M  =  [id^ ;  idr  U  ^  U  idp]  (snd  M) 


A;  •  h  M  :  A 

Case:  V  = - TpBox; 

A;r  U  f  h  box  M  :  DA 


by  ind.  hyp.  (1) 
by  definition  SBSnd 
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A;  r  U  r*  U  f  h  (id^ ;  idr  U  £<  U  idp)  :  (A;  F  U  f  U  f) 
^  A;  •  h  (id^;  •)  :  (A;  •) 

^  A;  •  U  •  U  •  h  (id^;  •  U  •  U  •)  :  (A;  •  U  •  U  •) 

^  M=  [id^;-U-U-](M) 

^  M=[id^;.](M) 

box  M  =  box  [id^;  •](M) 

box  M  =  [id^ ;  idr  U  ^  U  idp]  (box  M) 


by  assumption 
by  lemma  6.19 
by  definition 
by  ind.  hyp.  (1) 
by  definition 
by  definition 
by  definition  SB  Box 


A;rurhMi:nAi  A,  a;  :  Ai;  F  U  F  h  M2  :  A2 

Case:  V  = - : - : - TpLet; 

A;  F  U  f  h  let  box  x  =  Mi  in  M2  :  A2 

Ml  =  [id^;  idr  U  ^  U  idp]  (Mi)  by  ind.  hyp. 

M2  =  [idA,:Emi ;  idr  U  £<  U  idp]  (M2)  by  ind.  hyp.  (1) 

M2  =  [id^,  s/s;  idr  U  ^  U  idp](M2)  by  definition  IdNonEmpty 

(let  box  X  =  Ml  in  M2)  = 

(let  box  X  =  [id^;  idr  U  ^  U  idp](Mi)  in  [id^,  x/x]  idr  U  ^  U  idp](M2))  by  definition 
let  box  X  =  Ml  in  M2  =  [id^;  idr  U  ^  U  idp]  (let  box  x  =  Mi  in  M2)  by  definition 

SB  Let 


A;rurhM:nH  A;  F  U  F  h  E  :  (H  ^  A)(S') 

Case:  V  = - TpCase; 

A;  F  U  f  h  case  (A)  M  (E)  :  C*  {B,  A,  B) 

M  =  [id^;  idr  U  ^  U  idp](M)  by  ind.  hyp.  (1) 

"  =  [id^ ;  idr  U  £<  U  idp]  (E)  by  ind.  hyp.  (2) 

case  (A)  M  (E)  =  [id^;  idr  U  ^  U  idp]  (case  (A)  M  (E))  by  definition  SBCase 

A;rufhM:nH  A;  F  U  f  h  0  :  (a;)(S') 

Case:  V  = - Tplt; 

A;  F  U  f  h  it  (cj)  M  (0)  :  {i^){B) 

M  =  [id^;  idr  U  ^  U  idp](M)  by  ind.  hyp.  (1) 

0  =  [id^;  idr  U  ^  U  idp](0)  by  ind.  hyp.  (3) 

it  (u)  M  (0)  =  [id^;  idr  U  ^  U  idp]  (it  (u)  M  (0))  by  definition  SBIt 


2. 


Case:  V  = 


TmBase: 


A;rur  h  •  :  (H  ^  A)(-) 

.  =  [id^;  idr  U  ^  U  idp](-)  by  definition  SBXiEmpty 

A;  F  U  f  h  “  :  (H  ^  A)(S)  A;  F  U  f  h  M  :  C  (H,  A,  H') 

Case:  V  = - Tmind: 


A;  F  U  F  h  (“  I  c  ^  M)  :  (H  ^  A)(S,  c  :  F 
"  =  [id^;idr  U  £<U  idp](") 

M  =  [id^ ;  idr  U  ^  U  idp]  (M) 

^  (E  I  c  ^  M)  = 

([id^;  idr  U  U  idp](E)  |  c  ^  [id^;  idr  U  U  idp](M)) 
(E  I  c  M)  =  [id^ ;  idr  U  ^  U  idp]  (E  |  c  M) 


by  ind.  hyp.  (2) 
by  ind.  hyp.  (1) 

by  definition 
by  definition  SBXi 


3.  Case:  V  = - TrBase: 

A;ruf  h.:(a;)(.) 

•  =  [id^;idr  U  £<U  idp](-) 


by  definition  SBOmegaEmpty 
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A;ruf  hO:  (cj)(S)  A;  F  U  f  h  M  :  (cj)(H') 

Case:  V  = - Trind: 

A;  F  U  f  h  (0  I  c  M)  :  (cj)(S,  c  :  B') 

0  =  [id^ ;  idr  U  ^  U  idp]  (0) 

M  =  [id^ ;  idr  U  ^  U  idp]  (M) 

(0  I  c  H- ?■  M)  = 

([id^;  idr  U  ^  U  idp](0)  |  c  i-)-  [id^;  idp  U  ^  U  idp](M)) 

(0  I  c  I— 7-  M)  =  [id^ ;  idp  U  ^  U  idp]  (0  |  c  i— ?■  M) 


by  ind.  hyp.  (3) 
by  ind.  hyp.  (1) 

by  definition 
by  definition  SBOmega 


□ 


Lemma  7.42  (Preservation  of  Preconditions  and  Postconditions) 

1.  Pre\^B  and  T(a;)  =  B'  then  Post^B  {B') 

2.  Pre\^B  {^,B')  and  S(c)  =  B'  then  Post^B  {B') 

3.  Pre^B  {'i’,B2)  implies  Pre^B  ('h, -Bi  ^  B2) 

4-  Pre^B  ('hj  B2)  and  Post^B  {Bi  — ?■  B2)  implies  Prefix  (T,  Pi)  and  Post^B  {B2) 

5.  Prefix  (T,  Pi  — >  P2)  implies  Prefix  (T,  x  :  Bi,  P2) 

6.  For  all  pure  types  B:  Prefix  (•,  P) 

Proof: 


Pre^B  (T,P') 

by  assumption  (1) 

^  r(P')  <B  t{B) 

by  definition  7.39 

^  ^  <B  t{B) 

by  definition  7.39 

II 

TT 

by  assumption  (1) 

^  T  =  (Ti,  a;  :  P')  U  T2 

by  definition  2.2 

r(P')  <B  t{B)  implies  that  forall  y  G  Source(P')  :  y  Mb  t{B) 

by  lemma  6.32 

forall  y  G  Source(P')  : 

y 

t{B) 

by  definition 

Post],j5  {B') 

by  definition 

II 

by  assumption  (2) 

Let  y  G  Source(P') 

by  assumption 

^  y  Mb  t(P') 

by  lemma  6.30 

Pre^B  (T,P') 

by  assumption  (2) 

^  r(P')  Mb  r(P) 

by  definition  7.39 

^  y  Mb  t(P) 

by  lemma  6.30 

forall  y  G  Source(P')  : 

y 

r(P) 

by  definition 

Post],j5  {B') 

by  definition 
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3.  Pre^B  B2) 

by  assumption  (3) 

t{B2)  <b  t{B) 

by  definition  7.39 

t{B2)  =  t{Bi  B2) 

by  definition  4.15 

t{Bi  B2)  t{B) 

by  definition 

T  <B  t{B) 

by  definition  7.39 

Pre^B  (T,  Bi  B2) 

by  definition  7.39 

4.  Pre^B  B2) 

by  assumption  (4) 

=> 

t{B2)  <b  t{B) 

by  definition  7.39 

=> 

T  <B  t{B) 

by  definition  7.39 

PostJ,^  (_Bi  — y  B2) 

by  assumption  (4) 

forall  y  G  Source(_Bi  — ?■  B2)  :  y  <b  '^{B) 

by  definition  7.41 

Source(_Bi  — ?■  B2)  =  Source(_Bi)  U  {r(_Bi)}  U  Source(_B2) 

by  definition  4.16 

forall  y  G  Source(_Bi)  :  y  <b  '^{B) 

by  definition 

forall  y  G  Source(_B2)  :  y  <b  '^{B) 

by  definition 

Post^B  (H2) 

by  definition  7.41 

forall  y  G  {r(Hi)}  :  y  <b  t{B) 

by  definition 

t{Bi)  <b  t{B) 

by  definition 

t{Bi)  <b  t{B) 

by  definition 

Pre^B  (T,  Hi) 

by  definition  7.39 

forall  B'  G  PCT(_Bi)  :  Source(_B')  C  Source(_Bi) 

by  lemma  6.33 

forall  B'  G  PCT(Hi)  :  forall  y  G  Source(H')  :  y  G  Source(Hi) 

by  definition 

forall  B'  G  PCT(Hi)  :  forall  y  G  Source(H')  :  y  Mb  t{B) 

by  definition 

forall  B'  G  PCT(Hi)  :  if  t(H")  r(H)then  forall  y  G  Source(H') 

:  y  Mb  t(H) 

by  definition 

Prefix 

by  definition  7.40 

5.  PreffB  Bi  B2) 

by  assumption  (5) 

Pre^B  (T,  Hi  ^  H2) 

by  definition  7.40 

forall  B'  G  PCT(Hi  — ?■  H2)  :  if  t(B')  Mb  t{B)  then  forall  y  G  Source(H')  :  y  Mb  t{B) 

by  definition  7.40 

r(Hi  ^  H2)  <B  r{B) 

by  definition  7.39 

T  Mb  t{B) 

by  definition  7.39 

r(Hi  ^  H2)  =  r(H2) 

by  definition  4.15 

'r(H2)  <B  r{B) 

by  definition 

PCT(Hi  ^  H2)  =  {Hi}  U  PCT(H2) 

by  definition  4.22 
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if  t[Bi)  <b  '^{B)  then  forall  y  G  Source(_Bi)  :  y  <b  '^{B)  by  definition 

T,  a;  :  Hi  <b  t{B)  by  definition  7.39 

PreJ,B  (T,  a;  :  Bi,B2)  by  definition  7.39 


^  forall  B'  G  PCT(H2)  :  if  r(H')  <b  t{B) 

=>  PreffB  (T,a;  :  Hi,H2) 

6.  Let  H  be  a  pure  Type 
r(H)  =  r(H) 

^  t{B)  <b  t{B) 

■  <B  t{B) 

PreJ,B  (•,  B) 

Let  B'  G  PCT(H) 

Assume  t{B')  <b  t{B) 

Let  y  G  Source(H') 

^  y  <B'  t{B') 

^  y  <^B  t{B') 

^  y  Mb  'r(H') 

^  y  Mb  t{B) 

forall  B'  G  PCT(H)  :  if  r(H')  Mb  t{B) 
=>  PreffB  {■,B) 


forall  y  G  Source(H  )  :  y  Mb  b[B) 

by  definition  7.40 
by  definition  7.40 

by  assumption  (6) 
by  definition 
by  definition  6.29 
by  definition  6.31 
by  definition  7.39 
by  assumption 
by  assumption 
by  assumption 
by  definition  4.19 
by  lemma  6.34 
by  definition  4.24 
by  lemma  6.30  (2) 
forall  y  G  Source(H')  :  y  Mb  b{B) 

by  logic 
by  definition  7.40 

□ 


Lemma  7.43  (Auxiliary  femma  for  iterator) 

//TUTh  yidvpU^G  [g^UT],  T  +  T  h  G  [(cj)(S';T)]  and  S' =  N*(S;X(S;  H)) 

1.  If  V  f  B'  and  Pre  ^b  {'^,B')  then  T  U  T  h  [•;  idij  U  ^]((aa;  rf)(E))  G  [(^^)(H')]  and 
Post^B  {B') 

2.  //ThE^H'  and  PreilB  (^,  5')  tden  T  U  T  h  [•;  idvp  U  ^]((a;;  f2)(E))  G  [(c^)(H')] 

Proof:  by  induction  over  P  ::  T  h  E  ff  H'  and  S  V  f  B' 

T(a;)  =  B' 

1.  Case:  S  = - AtVar 

T  h  a;  ;  H' 

T(a;)  =  B' 

T  =  Ti,  a;  :  H' U  T2 
^  T  =  §1 ,  M  :  (cj)  (H')  U  §'2 


by  assumption 
by  definition  2.2 
by  lemma  7.14 
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U  =  (uj]  Q){x) 

by  lemma  7.14 

(idijr  U  q){u)  =  M 

by  lemma  7.34 

=>  TUTEMg  [(cj)(H')] 

by  lemma  7.34 

^  [•;  idij  U  q]{u)  =  M 

by  definition  SBVar 

T  U  T  h  [•;  idijr  U  (u)  G  (-B')] 

by  definition 

^  vI;UTh[.;idv,U^]((a;;0)(a;))  G  [M(5')l 

by  definition 

PreiB 

by  assumption 

PostJ,j5  {B') 

by  lemma  7.42  (1) 

S(c)  =  B' 

Case:  8  —  AtConst 

T  h  c  ;  H' 

II 

by  assumption 

Pre^B  (T,H') 

by  assumption 

PostJ,j5  {B') 

by  lemma  7.42  (2) 

Case:  t{B')  G  X(S;H): 

S'(c)  =  B' 

by  assumption 

S'  =  S;,c:H'US'2 

by  definition  4.17 

^  ThMG[M(H')] 

by  lemma  7.12 

M  =  {lo]  81)  (c) 

by  lemma  7.12 

^  -T  h  M  :  (cj)(H') 

by  definition  7.4 

^  -TU  •  h  M  :  (cj)(H') 

by  definition  CuBase 

TUT  h  -id^  U  £<  G  [s^UT] 

by  assumption 

^  -TU  T  h  (-idv];  U  £<)  :  (•;  T  U  T) 

by  lemma  7.31 

^  -TU  T  U  •  h  (-id^  U  £<U  •)  :  (•;  T  U  T  U  •) 

by  definition  CuBase 

Af  =  [•;  idijr  U  ^  U  •](Af) 

by  lemma  7.38 

Af  =  [•;  idijr  U  (Af ) 

by  definition  CuBase 

^  AT  =  [•;  idij  U  £»]((cj;  0)(c)) 

by  definition 

^  T  >  • 

by  lemma  6.2 

^  T  U  T  >  T  U  • 

by  lemma  6.5 

^  T  U  T  >  T 

by  definition  CuBase 

^  TUTPATg  [(cj)(H')] 

by  lemma  7.9  (1) 

^  TUTh[-;idv,U^]((a;;0)(c))  G  [M(5')l 

by  definition 

Case:  t{B')  ^  X(S;H): 

^  c-.B'^T.' 

by  definition 

S'(c)  is  undefined 

by  definition 

Pre^B  (T,H') 

by  assumption 

^  r(H')  <B  t{B) 

by  definition  7.39 

=>  t{B)  ^b  t{B') 

by  lemma  6.37 

Source(_B')  n  I(S;  H)  =  0 

by  lemma  6.35 

^  {ij){B')  =  B' 

by  lemma  6.36 

T  +  TPOg  [M(S';T)] 

by  assumption 

0(c)  is  undefined 

by  lemma  7.13 

^  (cj;  0)(c)  =  c 

by  definition  ElConst 

^  S(c)  =  B' 

by  assumption 
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^  T  h  c  G  \B'\ 

^  T  h  c  G  IB'} 

=>  vI;hcG[M(H')] 

[•;  idij  U  £»](c)  =  c 
^  T  h  [•;id5,  U  £»](c)  G  [(c^)(-B')] 

^  T  h  [sid^.  U  £»]((cj;  0)(c))  G 

Vi  V2 

T  h  El ;  H'  ^  h;  t  h  E2  ^  ^2 

Case:  £  = - AtApp 

T  h  El  E2 ; 

Pre^B  (T,H;) 

^  Pre^B  (T,H' 

^  T  U  T  h  [•;  idijr  U  £']((c^;  0)(Ei))  G  1{‘^){B'2  -BJ)] 

^  T  U  T  h  [•;  idv,  U  ^]((a;;  0)(Ei))  G  [M(B')  ^  M(B;)] 

PostJ,j5  {B'2  —7-  B'^) 

^  PrefrB(T,B') 

PostJ,j5  (Bi) 

^  T  U  T  h  [•;  id^,  U  £»]  ((cj;  0)  (E2))  G  [(c^)  (BQ] 

^  T  U  T  h  [•;  id.1,  U  £']((c^;  0)(Ei))  [•;  id.i,  U  £']((c^;  0)(E2))  G  [(1 

^  vI;UTh[-;idv,U^]((a;;0)(Ei)  (c^;0)(E2))  G  [M(B;)] 

^  TUTh[-;idvfU^]((a;;0)(EiE2))  G  [M(B;)] 

Vi 

T  h  E^a 

2.  Case:  V  = - CanAt 

T  h  E  fr  a 

Prefix  (T,a) 

^  PreJ,B  ('Ll  a) 

^  T  U  T  h  [-idvi,  U  £<]((cj;0)(E))  G  [(t^)(a)] 

T,  a;  :  B;  h  E  fr  B^ 

Case:  V  = - CanLam 

T  h  Aa;:B;.E  fr  B;  ^  B^ 

(T,a.jM(B;))H  =  M(B;) 

^  :  (cj)(B;)  h  M  ;  (cj)(B;) 

^  i>,u-.{oj){B'^hue\{oj){B'^\ 

^  ^,u:^{uj){B',)huel{^){B',)} 

=>  T  +  T  h  0  G  [(cj)(S';T)] 

T  >  T 

^  T,  M  :  (c^)(Bj)  >  T 
^  vI;  +  T,a^:M(B;)hOG[M(S';T)] 

^  T  +  T,  M  :  M(B;)  h  0  I  a;  ^  m  G  [M(S';  T,  a;  :  Bj)] 

Let  T"  >  T  U  T 


by  application  of  AtVar 
by  lemma  7.17 
by  lemma  7.21 
by  definition  4.26 
by  definition  SBConst 
by  lemma  7.21 
by  definition 


by  assumption 
by  lemma  7.42  (3) 
by  ind.  hyp.  (1)  on  Bi 
by  definition  4.26 
by  ind.  hyp.  (1)  on  Bi 
by  lemma  7.42  (4) 
by  lemma  7.42  (4) 
by  ind.  hyp.  (2)  on  V2 
;)(BJ)]  by  lemma  7.22 
by  application  of  SbApp 
by  application  of  ElApp 


by  assumption 
by  definition  7.40 
by  ind.  hyp.  (1)  on  Bi 


by  definition 
by  application  of  AtVar 
by  lemma  7.17 
by  lemma  7.21 
by  assumption 
by  definition  CeBase 
by  definition  Ceind 
by  lemma  7.10 
by  definition  7.5 
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T"  =  T  U  T' 

by  lemma  6.4 

T'  >  T 

by  lemma  6.4 

Let  TUT'  h  E'  G  \{‘^){B[)\ 

TUT  h  yid^  U£<  G  [yTUT] 

by  assumption 

T  U  T'  h  yid^  U  £<  G  [yT  U  T] 

by  lemma  7.26 

T  U  T'  h  •;  (idvp  U  g),V'lu  G  [•;  (T  U  T),  n  :  (c^)(5()] 

by  lemma  7.35 

T  U  T'  h  •;  id^  U  g,  V'/u  G  [•;  T  U  T,  n  :  {io){B[)] 

by  definition  Ceind 

Pre^B  {i>,B[^B'2) 

by  assumption 

=> 

Prefix  (T,  X  :  .62) 

by  lemma  7.42  (5) 

T  U  T'  h  [•;  idij  U  g,  V'/u]{{uj;  0  a;  hG  'a)(E))  G 

by  ind.  hyp.  (2) 

T  U  T'  h  [E'/-a]([-;  id.j  U  g,  u/u]{{lj-,  0  a;  hG  -a)(E)))  G 

by  lemma  6.17  (1) 

^  T  U  T  h  Xu :  (lj)  {B[) .  [•;  id.j  U  g,  u/u]{{lj;  0  |  a;  '“)(^))  ^  ^  (^)(-®DI 

by  definition  7.4 

^  T  U  T  h  Xu :  (lj)  {B[) .  [•;  (id.j  U  g),  u/u]{{lj;  0  |  a;  '“)(^))  ^  ^  (^)(-®DI 

by  definition  Cuind 

^  T  U  T  h  [•;  idij  U  g]{Xu:  {lj){B[).  (cj;  0  |  a;  '“)(^))  ^  ^  (^)(-®DI 

by  definition  SbLam 

T  U  T  h  [•;  idij  U  £']((t<a;  0)(Aa;  :B[.  V))  G  |(aa)(Hj)  — ?■  (aa)(H2)|  by  definition  EILam 
T  U  T  h  [•;  idij  U  ((oa;  0)  (Aa;  -.B'^.V))  G  |  (oj)  {B[  B 2)  \  by  definition  4.26 

T  U  T  h  [•;  idij  U  ^]((aa;  0)(Aa;  E))  G  [(aa)(Hj  — >  H2)]  by  lemma  7.21 

□ 


Lemma  7.44  (Every  canonical  element  is  member  of  the  logical  relation) 

1.  //T  h  E  ;  H  and  T'  h  •;  £.  G  [•;  then  T'  h  [y^KE)  G  [H] 

2.  //T  h  E  fr  H  and  T'  h  •;  £.  G  [•;  then  T'  h  [•;  g]{V)  G  [H] 


Proof:  by  induction  over  P  ::  T  h  E  ),  H  and  8 
T(a;)  =  B 

1.  Case:  V  = - AtVar 

^  \-  X  IB 

T(a;)  =  B 

T  =  Ti,  a;  :  H  U  T2 
y^G  [•;4'] 

=y  g[x)  =  M 
=>  [■',e]{x)  =  M 
^  T'  h  M  G  [H] 

^  'L'h[.;^](a:)G[H] 


:  T  h  E  fr  H: 


by  assumption 
by  definition  2.2 
by  assumption 
by  lemma  7.34  (2) 
by  definition  SBVar 
by  lemma  7.34  (2) 
by  definition 
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S(c)  =  B 

Case:  V  = - AtConst 

T  h  c;  H 

S(c)  =  B 

^  T'  h  c  G  |-B| 

^  T'  h  c  G  [H] 

^  E  [s^Kc)  G  [H] 

Vi  8i 

T  h  El  ;  H2  ^  Hi  T  h  E2  ^  ^2 

Case:  V  = - AtApp 

T  h  El  E2 ; 

^'^he]{V2)elB2\ 

^  'L'h[.;^](Ei)  [•;^](E2)  G  [Hi] 

^  G  [i^i] 

Vi 

ThE^a 

2.  Case:  £  = - CanAt 

T  h  E  fr  a 

[s^KE)  G  H 

T,  a;  :  Hi  h  E  fl  H2 

Case:  £  = - CanLam 

T  h  Aa;:Hi.E  fr  Hi  ^  H2 

Let  T"  >  T' 

Let  T"  h  IE  G  |Hi| 
s^G  [S^] 

^  T"  h  •;£<  G  [g^] 

^  T"  h  •;  £»,  lE/a;  G  a;  :  Hi] 

^  vI;"h[.;^,IE/a:](E)G[H2] 

^  vI;"h[IE/a:]([.;^,a:/a:](E))G[H2] 

T' h  Aa;  :Hi.  [•;£»,  a;/a;](E)  G  |Hi —)■  H2I 
^  T' h  [•;^](Aa;:Hi.E)  G  |Hi  ^  H2I 
^  T'h[-;^](Aa::Hi.E)  G  [Hi^H2] 


by  assumption 
by  application  of  AtConst 
by  lemma  7.17  (2) 
by  definition  7.4 
by  application  of  SBConst 


by  ind.  hyp.  (1)  on  Hi 
by  ind.  hyp.  (2)  on  ^ii 
by  lemma  7.22 
by  definition  SBApp 


by  ind.  hyp.  (1)  on  Hi 


by  assumption 
by  assumption 
by  assumption 
by  lemma  7.26  (1) 
by  lemma  7.35 
by  ind.  hyp.  (2) 
by  lemma  6.17  (1) 
by  definition  7.4 
by  definition  SBLam 
by  lemma  7.21 

□ 


Lemma  7.45  (Properties  of  transformation  types:) 

//T  h  E  fr  H  then  ■  h  A{T}.E  G  [n{T}.H] 


Proof:  by  induction  over  T: 
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Case:  T  =  •: 

^  •  E  •  G  [•;  •] 

^  •h[.;-](E)G[H] 

^  S-EE  :H 
^  [•;-](E)  =  E 
^  -EEgIH] 

^  .hA{.}.EG[H] 

^  -h  a{.}.eg  [n{.}.H] 

Case:  T  =  T',  a;  :  B'\ 

^  T',a;  :  H' h  E  fr  H 
^  T' h  Aa;:H'.EfrH' ^  H 
^  •  h  A{T'}.  Aa;:H'.E  G  [n{T'}.  (H' ^  H)] 
^  •  h  A{T',a;  :  H'}.E  G  [n{T'}.  (H' ^  H)] 
^  •  h  A{T',a;  :  H'}.E  G  [n{T',a;  : 


by  definition  7.23,  7.24,  7.25 
by  lemma  7.44 
by  lemma  6.25 
by  lemma  6.23 
by  definition 
by  definition  5.8 
by  definition  5.9 


by  assumption 
by  application  of  Can  Lam 
by  ind.  hyp. 
by  definition  5.8 
by  definition  5.9 

□ 


Lemma  7.46  (Auxiliary  lemma  for  case) 

//TUTh  yidvpU^G  [•;4’UT],  T  +  Th  “  G  [(H  ^  A)(S';  T)]  and  S' =  N(S;  r(H)) 

i.  //  T  h  E  ;  B'  and  n{T}.r(H)  =  B  and  t{B')  =  t{B)  then  TUT  h 

[•;  idvf  U  q]{{B  ^  A;  S;  T}(E))  G  [C  {B,  A,  H')] 

A  //  T  h  E  fr  H'  and  n{T}.H'  =  B  then  TUT  h  [•;  id,];  U  £.]({H  ^  A;  S;  T}(E))  G 
r  {B,A,B')} 

Proof:  by  induction  over  V  h  V  I  B  and  S  ::  T  h  E  i[  B: 

T'(a;)  =  B' 

1.  Case:  V  = - AtVar 

T  h  a;  ;  H' 

T(a;)  =  B' 

^  T  =  Ti,  a;  :  H' U  T2 
^  T  =  Ti,n:C  (H,A,H')UT'2 
^  M  =  {H  ^  A;  S;  T}(a;) 

(idijr  U  (t)(u)  =  M 
=>  TUThMGp  (H,A,H')] 

^  [•;  id,j  U  q]{u)  =  M 
^  TUTh[-;id,];U£<](M)  G  [C  (H,A,H')] 

^  TUTh[-;idvpU^]({H^  A;S;T}(a;))  G  [C  (H,  A,  H')] 


by  assumption 
by  definition  2.2 
by  lemma  7.16 
by  lemma  7.16 
by  lemma  7.34 
by  lemma  7.34 
by  definition  SBVar 
by  definition 
by  definition 
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S(c)  =  B' 

Case:  V  = - AtConst 

T'  h  c  ; 


r(H')  =  t{B) 

by  assumption 

c:H'GN(S;r(H)) 

by  definition  4.17 

c-.B'^T.' 

by  definition 

S'  =  S;,c:H'US'2 

by  definition  2.2 

TEMg  [C  (H,A,H')] 

by  lemma  7.15 

M  =  {B^  A;0;T}(c) 

by  lemma  7.15 

•;T  h  M  :  C  {B,A,B') 

by  definition  7.4 

•;TU  •  h  M  :  C  {B,A,B') 

by  definition  CuBase 

TUT  h  yid^  U  £<  G  [y^’UT] 

by  assumption 

•;TU  T  h  (yid^  U  £<)  :  (•;  T  U  T) 

by  lemma  7.31 

•;TU  T  U  •  h  (yid^  U  £<U  •)  :  (•;  T  U  T  U  •) 

by  definition  CuBase 

M  =  [yidv];  U  £<U  •](M) 

by  lemma  7.38 

M  =  [yidvp  U^](M) 

by  definition  CuBase 

M  =  [yidvp  U^]({H  ^  A;0;T}(c)) 

by  definition 

T  >  • 

by  lemma  6.2 

T  U  T  >  TU¬ 

by  lemma  6.5 

TU  T  >  T 

by  definition  CuBase 

TUTEMg  [C  (H,A,H')] 

by  lemma  7.9  (1) 

TUTh[-;idvpU^]({H^  A;0;T}(c))  G  [C  {B,A,B')} 

by  definition 

Vi  81 

T  h  El ;  H'  ^  h;  t  h  E2  ^  -62 

Case:  T 

)  _  AtApp 

T  h  El  E2  ;  -Bi 

t{B[)  =  t{B) 

by  assumption 

r{B',  ^  B[)  =  t{B) 

by  definition  4.15 

T  U  T  h  [•;  idv,  U  q]{{B  ^  A;  E;  T}(Ei))  G  [C  {B,  A,  (H'  ^  H^))] 


by  ind.  hyp.  (1)  on  Vi 

n{T}.r(H)  =  H  by  assumption 

^  vI;UTh[.;idv,U^]({H^  A;E;T}(Ei))  G  [C  (n{T}.  r(H),  A,  (H'  ^  Hj))] 


T  U  T  h  [•;  idijr  U  {{B  A; 
T  U  T  h  [•;  idijr  U  {{B  A; 


by  definition 

;  ^}{Vi))  e  [nniT}.  h'  ^  c  (n{T}.  t{b),  a,  b[)} 


by  definition 

;^}(Ei))G[nn{T}.H'^C(H,A,H;)] 


^  h  E2  ^  ^2 

^  •  h  a{t}.E2  G  [n{T}.Hy 
^  yh  A{T}.E2  :n{T}.H' 

^  A{T}.E2  =  [•;-](A{^}.E2) 

^  •h[.;.](A{T}.E2)G[n{T}.Hy 


by  definition 
by  assumption 
by  lemma  7.45 
by  definition  7.4 
by  lemma  6.23 
by  definition 
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T  U  T  h  box  [•;  •](A{T}.  V2)  G  by  definition  7.4 

T  U  T  h  box  [•;  •](A{T}.  V2)  G  [n(n{T}.  H2)]  by  lemma  7.21 

T  U  T  h  [•;  idij  U  ^](box  A{T}.  V2)  G  [n(n{T}.  H2)]  by  definition  SBBox 

TUTh[-;idvfU^]({H^  A;E;T}(Ei))  [•;  idvf  U  ^](box  A{T}.  E2)  G  {C 

by  lemma  7.22 

A;  E;  T}(Ei)  (box  A{T}.  E2))  G  [C  {B,  A,  B[)} 

by  definition  SBApp 

A;E;T}(EiE2))g[C(H,A,H()] 


T  U  T  h  [yid^  U  £<]({H 
T  U  T  h  [yid^  U  q]{{B 


by  definition  SeApp 


2.  Case:  S  = 


Vi 


CanAt 


T  h  E  fr  a 

n{T}.a=  H 

=y  t[B)  =  r(n{T}.  a)  =  r(a)  =  a 
n{T}.r(H)  =  H 
fit  U  T  h  [•;  idijr  U  {{B  = 
fit  U  fit  h  [•;  idijr  U  {{B  = 

T,  a;  :  h  E  fr  H' 


41; 

A: 


;E}(fi/))G[C(H,A,a); 
;E}(fi/))  G  [C*  (H,A,a 


by  assumption 
by  lemma  6.28,  by  definition  4.15 
by  definition 
by  ind.  hyp.  (1) 
by  definition  5.12 


Case:  £  = 


ii  h  \x:B[.V  it  B[  ^  B'2 


CanLam 


{^,u:C  {B,A,B[)){u)  =  C  {B,A,B[) 

by  definition 

=>  (H,A,H()  (H,A,H() 

by  application  of  AtVar 

^  ^,u:C  {B,A,B[)h  u  e\C  {B,A,B[)\ 

by  lemma  7.17 

^  ^,u:C  {B,A,B[)huelC  {B,A,B[)} 

by  lemma  7.21 

fi’  +  fit  h  “  G  [(H  ^  -4)(S';  T)] 

by  assumption 

fit  >  fit 

by  definition  CeBase 

^  fit,M  :C  {B,A,B[)  >  fit 

by  definition  Ceind 

^  fir  +  T,  M  :  C  (H,  A,  h  E  G  {{B  =>  A)(S';  T)] 

by  lemma  7.11 

^  fi’  +  fit,  M  :  C  (H,  A,  h  "  a;  ^  M  G  [(H  ^  x 

Let  fit"  >  fir  U  fit 

:  H()]  by  definition  7.7 

^  fi/"  =  T  U  fit' 

by  lemma  6.4 

^  fi/'  >  fi; 

Let  fi'Ufit'  h  E'  G  |C  (H,  A,H()| 

by  lemma  6.4 

^  fi’Ufit  h  yid^  U£<  G  [yfi’UT] 

by  assumption 

^  T  U  fit' h  yid^  U  £<  G  [yfi’ U  fit] 

by  lemma  7.26 

^  T  U  fit'  h  •;  (idvp  U  q),V'Iu  G  [•;  (fi’  U  T),  m  :  C  {B,  A,  B[)] 

by  lemma  7.35 

=>  fi’  U  fit'  h  •;  id^  U  g,  V'/u  G  [•;  fi’  U  fit,  m  :  C  (H,  A,  B[)] 

by  definition  Ceind 

nlTl.H]  ^  H'  =  H 

by  assumption 

^  n{fi’,a;  :  =  H 

by  definition  5.9 

^  fi’  U  T'  h  [•;  idvp  U  V'/u]{{B  ^  A;  “  1  a;  ^  m;  T,  a;  :  H(}(E))  G  {C*  {B,  A,  H')] 
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by  ind.  hyp.  (2) 

^  T  U  T'  h  \y' /u]{[-]  idij  U  q,  u/u]{{B  ^  A;  E  |  a;  ^  m;  T,  a;  :  i^J}(E))) 

G  \C*  {B,  A,  B2)}  by  lemma  6.17  (1) 

T  U  T  h  Am :C  (H,  A,  Hj).  [•;  id.j  U  g,  u/u]{{B  A;  E  |  a;  m;  T,  a;  :  B[}{V)) 

G  \C  {B,  A,  B[)  —7-  C*  {B,  A,  H^)!  by  definition  7.4 

T  U  T  h  Am:C  {B,  A,  B[).  [•;  (id.j  U  g),  u/u]{{B  A;  E  |  a;  m;  T,  a;  :  B[}{V)) 

G  \C  {B,  A,  HJ)  —7-  C*  {B,  A,  B2)  I  by  definition  Cuind 

TU'Lh[-;idi])U  ^](Am:C  {B,  A,  B[).  {B  A;E  |  x  M;T,a;  :  B[}{V)) 

G  \C  {B,  A,  B[)  —7-  C*  {B,  A,  by  definition  SBLam 

^  TUTh[-;idvpU^]({H^  A;“;T}(Aa;:H;.E))  G  \C  {B,A,B[)  C*  (H,A,HQ| 

by  definition  SeLam 

T  U  T  h  [•;  idij  U  £']({7^  A;  E;  T}(Aa;  :B[.  V))  G  \C*  {B,  A,  B[  by  definition 

5.12 

T  U  T  h  [•;  idij  U  ^]({H  A;  E;  T}(Aa;  :HJ.  E))  G  [C*  (H,  A,  >  H2)]  by  lemma 

7.21 


□ 


Lemma  7.47  (Typing  and  logical  relations)  Let  T  h  ^  G  [A;  F] 

1.  //A;r  h  M  :  A  then  T  h  [h- g\{M)  G  [A] 

2.  //  A;  F  h  E  :  (H  ^  A)  (S')  then  T  +  •  h  [0;  (S)  G  {{B  ^  A)  (S';  •)] 

3.  //  A;  F  h  0  :  (cm)  (S')  then  T  +  •  h  [0;  (0)  G  {{oj)  (S';  •)] 


Proof:  by  induction  over  P  ::  A;  F  h  M  :  A 

p/j.'j  _  ^ 

1.  Case:  V  = - TpVarReg 

A;r  h  a;  :  A 

r(a;)  =  A 

by  assumption 

r  =  ri,a;:Aur2 

by  definition  2.2 

^h0;ge[A;r] 

by  assumption 

=y  g[x)  =  M 

by  lemma  7.34  (2) 

=>  T  h  M  G  [A] 

by  lemma  7.34  (2) 

^  [0;  g]{x)  =  M 

by  definition  SBVar 

^  T  h  [0;^](a;)  G  [A] 

by  definition 

^ 

Case:  V  = - TpVarMod 

A;r  h  a;  :  A 

A(a;)  =  A 

by  assumption 

^  A  =  Ai,  a;  :  A  U  A2 

by  definition  2.2 

vI/h0;^G  [A;r] 

by  assumption 

^  e{x)  =  M 

by  lemma  7.34  (1) 

=>  •  h  M  G  [A] 

by  lemma  7.34  (1) 
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^  [0;  q\{x)  =  M 
=>  •  h  [6»;  q\{x)  G  [A] 

^  T  >  • 

^  T  h  G  [A] 

S(c)  =  B 

Case:  V  = - T pConst 

A;r  h  c : H 

S(c)  =  B 
=> 

^  T  h  c  G  |H| 

T  h  c  c  :  H 


^  •;  T  h  c  :  H 

^  T  h  c  G  [H] 

^  vI;h[0;^](c)G[H] 

A:  r,  a;  :  Ai  h  M  :  A2 

5:  V  = - TpLam 

A;  r  h  Aa; :  Ai.  M  :  Ai  — ?■  A2 

Let  T'  >  T 
Let  T'  h  E  G  |Ai| 

^  T'  h  E  G  [All 

^h0;ge[A;r] 

=>  T'  h  ^  G  [A;  F] 

^  T'  h  0;g,Vlx  G  [A;r,a;  :  Ai] 

^  vI;'h[0;^,E/a:](M)  G  [A2] 

^  vI;'h[E/a:]([0;^,a:/a:](M))  G  [A2] 

T  h  Aa; :  Ai.  [0]  g,  a;/a;](M)  G  |Ai  — ?■  A2I 
^  T  h  [6»;£<](Aa;:Ai.M)  G  |Ai  ^  A2I 
T  h  [0;  ( Aa; :  Ai .  M)  G  |Ai  — >  A2] 


T>i  T>2 

A;  F  h  Ml  :  A2  ^  Ai  A;  F  h  M2  :  A2 

Case:  V  = - 

A;  F  h  Ml  M2  :  Ai 
^  T  h  [6*;  g]{Mi)  G  [A2  ^  Ai] 

^  T  h  [6*;  £'](M2)  G  [A2] 

^  T  h  [6*;  £'](Mi  M2)  G  [Ai] 


TpApp 


T>i  T>2 

A;  F  h  Ml  :  Ai  A;  F  h  M2  :  A2 

Case:  V  = - TpPair 

A;rh  (Mi,M2)  :  Ai  X  A2 
^  T  h  [6»;  £»](Mi)  G  [Ai] 

^  T  h  [6*;  £'](M2)  G  [A2] 

^  T  h  {[0-,  g]{Mi),  [0-,  g]{M2))  G  |Ai  X  A2I 
^  Th[0;^]((Mi,M2))  G  |Ai  X  A2I 
^  Th[0;^]((Mi,M2))  G  [Ai  X  A2] 


by  definition  SBVar 
by  definition 
by  lemma  6.2 
by  lemma  7.9  (1) 


by  assumption 
by  application  of  AtConst 
by  lemma  7.17  (2) 
by  application  of  EvConst 
by  application  of  T pConst 
by  definition  7.4 
by  definition  SBConst 


by  assumption 
by  assumption 
by  lemma  7.21 
by  assumption 
by  lemma  7.26  (2) 
by  assumption 
by  ind.  hyp. 
by  lemma  6.17  (1) 
by  definition  7.4 
by  definition  SBLam 
by  lemma  7.21 


by  ind.  hyp.  on  Vi 
by  ind.  hyp.  on  V2 
by  lemma  7.22 


by  ind.  hyp.  on  Vi 
by  ind.  hyp.  on  V2 
by  definition  7.4 
by  definition  SBPair 
by  lemma  7.21 
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Case:  V 

V 

A;r  h  M  :  Ai  X  A2 
'  -  TpFst 

A;  F  h  fst  M  :  Ai 

T  h  [e;Q\{M)  G  [Ai  X  A2] 

by  ind.  hyp.  on  V 

■■^h[9-e]{M)  :  Ai  X  A2 

by  definition  7.4 

T  h  [e;Q\{M)  -G  E'  :  Ai  X  A2 

by  definition  7.4 

T  h  E'  G  |Ai  X  A2I 

by  definition  7.4 

V  =  {Ml,  M2) 

by  definition  7.4 

T  h  Ml  G  [Ai] 

by  definition  7.4 

T  h  Ml  -G  E  :  Ai 

by  definition  7.4 

h  E  G  |Ai| 

by  definition  7.4 

•;T  hfst  [e-Q\{M)  :  Ai 

by  application  of  T pFst 

T  hfst  [e-Q\{M)  -G  E  :  Ai 

by  application  of  EvFst 

Thfst  [e-e\{M)  G  [All 

by  definition  7.4 

vl/h[0;^](fst  M)  G  [All 

by  definition  SB  Fst 

A;r  h  M  :  Ai  X  A2 

Case:  V  = - T pSnd 

A;r  h  snd  M  :  A2 

analog 

A:  •  h  M  :  A 

Case:  V  = - T pBox 

A;  r  h  box  M  :  OA 

^  h  e-,  e  e  [A-,T] 

by  assumption 

•  h  6»;  •  G  [A;  •] 

by  lemma  7.27 

•h[0;.](M)G[A] 

by  ind.  hyp. 

•;-h[0;.](M):A 

by  definition  7.4 

•;  T  h  box  [0;  •](M)  :  DA 

by  application  of  T  pBox 

T  h  box  [O',  •](M)  box  [0;  •](M)  :  DA 

by  application  of  EvBox 

T  h  box  [O',  •](M)  G  nA 

by  definition  7.4 

Thbox  [9-,-]{M)  G  [DA] 

by  definition  7.4 

T  h  [0;  ^](box  M)  G  [DA] 

by  definition  SB  Box 

T>i  T>2 

A;rhMi:nAi  A,  a;  :  Ai;  F  h  M2  :  A2 

Case:  V  = - T pLet 

A;  F  h  let  box  x  =  Mi  in  M2  :  A2 

^h[e-,e]{Mi)  e  [dAi] 

by  ind.  hyp.  on  Vi 

T  h  [9;q\{Mi)  -g  E  :  DAi 

by  definition  7.4 

■■'^h[9-g]{Mi)  :nAi 

by  definition  7.4 

T  h  E  G  iDAil 

by  definition  7.4 

E  =  box  M[ 

by  definition  7.4 

•  h  M{  G  [All 

by  definition  7.4 

T  h  9,M[/x;Qe  [A,x  :  Ai;r] 

by  definition  7.25 

^h[9,M[/x-g]{M2)  G  [A2] 

by  ind.  hyp.  on  V2 
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^  T  h  [0,  M'Jx-,  e]{M2)  ■.A2 

T  h  E'  G  IA2I 

^  T  h  [M[/x]{[9,  x/x;  e]{M2))  -G  E'  :  A2 

T  h  let  box  x  =  [0;  £'](Mi)  in  [6,  x/x]  (^{M2)  ^  V'  A2 
T  h  [0;  ^](let  box  x  =  Mi  in  M2)  E'  :  A2 

vI/h0;^G  [A;r] 

^  :  (A;r) 

•;  T  h  [0;  ^](let  box  x  =  Mi  in  M2)  ■  A2 
T  h  [0;  ^](let  box  x  =  Mi  in  M2)  G  [A2] 

Vi  V2 

A-,rhM:OB  A;r  h  “  :  (H  ^  A)(S') 

Case:  V  = - T pCase 

A;  r  h  case  (A)  M  (E)  :  C*  {B,  A,  B) 

S'  =  N(S;r(H)) 

^>h[e-e\{M)  G  [DH] 

^  T  h  [6»;£.](M) -G  boxM' :  DH 

^  ■■■^^[9-e]{M)-.UB 

T  h  box  M'  G  |n-B| 

^  •  h  M'  G  [H] 

^  •  h  M'  fr  E'  :  H 

^  -hE'^H 

A;rhE  :  (H  ^  A)(S') 

^  vI;+.h[0;^](E)G[(H^A)(S';.)] 

T  h  •;  idijr  G  [•;  'L] 

^  TU  •  h  -idv];  U  •  G  U  •] 

n{-}.H  =  B 

=>  vI;U-h[.;idv,U-]({H^  A;E;.}(E'))  G  [C*  {B,A,B)} 

=>  T  h  [•;  idv,]({H  ^  A;  E;  -KE'))  G  [C*  (H,  A,  H)] 

^  {H  ^  A;  E;  -KE')  =  [•;  idv,]({H  ^  A;  E;  -KE')) 

^  vI;h{H^A;E;.}(E')G[C*(H,A,H)] 

^  T  h  {H  ^  A;  “;-}(E') E  :  C*  (H,  A,H) 

^  T  h  E  G  |C*  (H,  A,H)| 

^  T  h  case  (A)  [9;  g]{M)  {[9;  ^](“))  -G  E  :  C*  (H,  A,  B) 

^  ^  case  (A)  [0;  e]{M)  {[9-,  ^](E))  :  C*  {B,  A,  B) 

=>  T  hcase  (A)  [9;  g]{M)  ([0;^](E))  G  [C*  (H,  A,H)] 

^  T  h  [0;  ^](case  (A)  M  (E))  G  {C*  {B,  A,  H)] 

A;rhM:nH  h  oj  :  a  A;  F  h  Q  :  (oj}(I]') 

Case:  T>  = - Tpit 

A;r  h  it  (co)  M  (0)  :  {lj){B) 


by  definition  7.4 
by  definition  7.4 
by  lemma  6.17  (2) 
by  application  of  EvLet 
by  definition  SB  Let 
by  assumption 
by  lemma  7.31 
by  lemma  6.21  on  V 
by  definition  7.4 


Side  Condition 
by  ind.  hyp.  on  Vi 
by  definition  7.4 
by  definition  7.4 
by  definition  7.4 
by  definition  7.4 
by  lemma  7.17  (1) 
by  lemma  7.2  (1) 
by  assumption 
by  ind.  hyp.  (2) 
by  lemma  7.8 
by  definition  7.37 
by  definition  CuBase 
by  definition  5.9 
by  lemma  7.46 
by  definition  CuBase 
by  definition  7.4 

by  definition 
by  definition  7.4 
by  definition  7.4 
by  application  of  EvCase 
by  application  of  T pCase 
by  definition  7.4 
by  definition  SBCase 


A;r  h  M  :  DH 


by  assumption 
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^^[e;e\{M)  G  {OB} 

by  ind.  hyp.  (1) 

T  h  [9-,q]{M)  -g  box  M'  :  nB 

by  definition  7.4 

•;T  h  [0-,g]{M)  :  OB 

by  definition  7.4 

T  h  box  M'  G  \OB\ 

by  definition  7.4 

•  h  M'  G  [H] 

by  definition  7.4 

•  h  M'  fr  E'  :  H 

by  lemma  7.17  (1) 

■hV  i[B 

by  lemma  7.2  (1) 

A; 

r  h  0  :  (g;)(S') 

by  assumption 

vI/+.h[0;^](O)G[M(S';  •)] 

by  ind.  hyp.  (3) 

by  lemma  7.6 

h  yidv];  G  [•; 

by  definition  7.37 

TU  •  h  yidv];  U  •  G  •] 

by  definition  CuBase 

vI/U-h[.;idv,U-]((a;;0)(E'))  e  [M(H)] 

by  lemma  7.43 

by  definition  CuBase 

■;^h[-;id^]{{u;Q){V'j):{u){B) 

by  definition  7.4 

{u;Q){V')  =  [-;id^]{{u;Q){V')) 

^h{u;Q){r)  G  [M(H)] 

by  definition 

T  h  (g;;0)(E')  -g  V  :  (cj}(B) 

by  definition  7.4 

ThE  G  |M(H)| 

by  definition  7.4 

T  h  it  (a;)  [9;  e]{M)  {[9;  ^](0))  -G  E  :  {cj){B) 

by  application  of  Evit 

\-  uj  :  a 

by  assumption 

=> 

yThit  M  [9;g]{M)  {[9;  g]{Q))  :  {u){B) 

by  application  of  T pit 

Thit  M  [9;g]{M)  ([0;^](O))g[M(H)] 

by  definition  7.4 

vl/h[0;^](it  (a;)M(0))  G  [M(H)] 

by  definition  SBIt 

Case.  V  TmBase 

A;rh.:(H^A)(.) 

vI/+.h.G[(H^A)(.;.)l 

by  definition  7.7 

T  +  •  h  [6»;  £<](•)  G  1{B  A)(-;  •)] 

by  application  of  SBXiEmpty 

Case:  i 

A;r  h  “  :  (H  ^  A)(S')  A;  F  h  M  :  C  (H,  A,  H') 

r) _ 

Tmind 

[y  — 

A;  F  h  (“  1  c  HG  M)  :  (H  ^  A)(S',  c  :  B') 

A; 

F  h  “  :  (H  ^  A)(S') 

by  assumption 

vI/+.h[0;^](E)G[(H^A)(SV)] 

by  ind.  hyp.  (2) 

A; 

F  h  M  :  C  {B,A,B') 

by  assumption 

^^[9-,g]{M)elC{B,A,B')1 

by  ind.  hyp.  (1) 

T  +  •  h  [0;  ^](E)  1  c  ^  [9-  g\{M)  G  {{B  =>  A)(S',  c  :  B' 

;  •)]  by  definition  7.7 

^>+.h[9;g]{E\c^M)el{B^  A)(S',  c  :  H';  •)] 

by  application  of  SBXi 

3.  Case:  T) - TrBase 

A;rh.:M(.) 

T  +  -h-G 

^  T +  •  h  [6»;  £<](•)  G  [(cj)(-;  •)! 


by  definition  7.5 
by  application  of  SBOmegaEmpty 


no 
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A;rhO:n)(S')  A;rhM:n)(H') 

Case:  V  = - AAMA - jHnd 

A;  r  h  (0  I  c  M)  :  (cj)(S',  c  :  B') 

A;rhO  :  (cj)(S') 

A;rhM  :  {u){B') 

^  ^h[0;g]{M)el{u){B')} 

=>  T  +  •  h  [0;  ^](0)  I  c  ^  [6;  e]{M)  G  [(c^)(S',  c  :  H';  •)] 
T  +  •  h  [0;  ^](0  I  c  H- ?■  M)  G  c  :  •)] 


by  assumption 
by  ind.  hyp.  (3) 
by  assumption 
by  ind.  hyp.  (1) 
by  definition  7.5 
by  application  of  SBOmega 


□ 


Theorem  7.48  (Canonical  form  theorem) 

//  •;  T  h  M  :  H  then  T  h  M  fr  E  :  H 


Proof: 

•;T  h  M  :  H 

by  assumption 

4^  h  yidv];  G  [•;4’] 

by  lemma  7.37 

Th[-;idvf](M)  G  [H] 

by  lemma  7.47 

•;Th  [yidvpKM)  :  B 

by  definition  7.4 

T  h  M  G  [H] 

by  lemma  6.23 

T  h  Mfr  E  :  H 

by  lemma  7.17  (1) 
□ 
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Lemma  8.1  (Uniqueness  of  evaluation) 

1.  //T  h  M  fr  U  :  A  and  T  h  M  fr  U'  :  A  then  V  =  V' 

2.  If^hM^V-.Aand^hM^V'-.A  then  V  =  V' 


Proof:  by  induction  over  Il::TI-Mf|'U  :A  and  £  ::  TMUA 


1.  Case:  £  = 


T  h  M  ^  U  :  g 

T  h  M  fr  U  :  a 
a 

V  =  V' 


EcAtomic- 


T,  a;  :  Hi  h  M  a;  fr  Ui  :  ^2 

Case:  t - EcArrow- 

T  h  Mfr  Aa;:Hi.Ui  :  Hi  ^  H2 

T,  a;  :  Hi  h  M  a;  fl-  U/  :  H2 

^  Ui  =  Ui' 

Aa;  :Hi.  Ui  =  Aa;  :Hi.  U/ 

T(a;)  =  A 

2.  Case:  D  = - EvVar- 

T  h  a;  a;  :  A 

S(c)  =  H 

Case:  V  = - EvConst- 

T  h  c  c  :  H 

c  =  c 


•;  T,  a;  :  Ai  h  M  :  A2 
T  h  Aa; :  Ai.  M  Aa; :  Ai.  M  :  Ai  — >  A- 

71  /T  \ _  A  71  /T 


Case:  V  = 

ar  I  /\^  .  IV. 

Xx:Ai.M  =  Xx:Ai.M 

^  h  Ml  ^  Xx-.A^.M',  :  A2  Ai 

Case:  V  = - 


EvLa 


m- 


^  h  Mo 


T  h  Ml  Aa; :  A2.  M('  :  A2  M  Ai 
Aa; :  A2.  M(  =  Aa; :  A2.  M" 

T  h  M2  U2'  :  ^2 
^  V2  =  V^ 

=>  [^2A](M()  =  [U'A](M") 


^  U  =  U' 

_  T  h  Ml  Ui  :  H2  M  Hi  T  h  Ui  ;  H2  M  Hi 

T  h  Ml  M2  Ui  U2  : 


T  h  Ml  U/  :  H2  M  Hi 
^  Ui  =  U/ 

T  h  M2  ^  U2'  :  ^2 
^  U2  =  T^2 
^  UiU2  =  Ui'U2 


by  inversion  using  EcAtomic 
by  ind.  hyp.  (2) 

by  inversion  using  EcArrow 
by  ind.  hyp.  (2) 
by  definition 


by  definition 

by  definition 

by  definition 

- ^ ^ - EvApp: 

L 

by  inversion  using  EvApp 
by  ind.  hyp.  (2) 
by  inversion  using  EvApp 
by  ind.  hyp.  (2) 
by  definition 
by  ind.  hyp. 

T  h  M2  fl  U2  :  -62 

- EvAtomic- 

by  inversion  using  EvAtomic 
by  ind.  hyp.  (2) 
by  inversion  using  EvAtomic 
by  ind.  hyp.  (1) 


112 


D  TYPE  PRESERVATION  THEOREM 


•;T  h  Ml  :  Ai 


;  T  h  M2  :  A2 


Case:  V  =  ^ - ''  EvPair: 

T  \~  ^Afi,  M2)  ^ — y  (Afi,  M2)  :  Ai  X  A2 

T  h  M  (Ml,  M2)  :  Ai  X  A2  T  h  Ml 


trivial 
[Case:]  V  = 

trivial 


V  :  Ai 


T  h  fst  M  V  :  Ai 


EvFst- 


T  P  M  ^ — y  (Afi ,  M2)  :  Ai  x  A2  T  \~  M2  ^ — y  E  :  A2 

Case:  V  = - EvSnd- 

T  h  snd  M  ^  V  ■.  A2 

trivial 

•  h  M  :  A 

Case:  H  = - EvBox- 

T  h  box  M  box  M  :  OA 

trivial 

T  h  Ml  box  M[  :  DA  T  h  [M[/a;](M2)  E  :  A2 

Case:  'D  = - EvLet- 

T  h  let  box  x  =  Mi  in  M2  E  :  A2 

trivial 

^  h  M boxM' :  DB  -hM'-frEEB  ^  h  {B  ^  A;  S;  •}(V')  ^  E  :  C*  (B,  A,  B) 

Case:  V  = - 

^  h  case  (A)  M  (E)  ^  V  :  C*  (B,  A,  B) 

trivial 

T  h  M boxM' :  DH  •  h  M' fr  E' :  H  T  h  (cj;  0)(E') E  :  (x;)(H) 

Case:  V  = - Evlt- 

T  h  it  (cj)  M  (0)  E  :  {io){B) 

trivial 


□ 


Theorem  8.2  (Type  preservation) 


//  •;  T  h  M  :  A  and  T  h  M  E  :  A  then  •;  T  h  E  :  A 

Proof:  •;  T  h  M  :  A 

by  assumption 

T  h 

•;idvr  G  [•;^’] 

by  lemma  7.37 

vI/h[-;idvf](M)  G  [A] 

by  lemma  7.47 

vI/h[-;idvf](M)  G  [A] 

by  lemma  7.47 

•;  T  h  [•;  idip] (M)  :  A 

by  definition  7.4 

[•;idvp](M)  =  M 

by  lemma  6.23 

T  h  M  E'  :  A 

by  definition  7.4 

E  =  E' 

by  lemma  8.1 

T  h  E  G  |A| 

by  definition  7.4 

h  E  G  [A] 

by  lemma  7.21 

•;T  h  E  :  A 

by  definition  7.4 

□ 


EvCase: 
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E  Conservative  extension  theorem 


Lemma  9.1  (Typing  extension) 

//T  h  M  :  H  then  •;  T  h  M  :  H 


Proof:  by  induction  over  T  h  M  :  H 
T(a;)  =  B 

Case:  - StpVar 

^\-  X  :  B 

X  :  B 


S(c)  =  B 

Case:  - StpConst 

T  h  c  :  H 

•;T  h  c  :  H 


T,  a;  :  Hi  h  M  :  H2 
Case:  - ^ ^ ^ - 

T  h  Aa; :  Hi .  M  :  Hi  — ?■  H2 
T,  a;  :  Hi  h  M  :  H2 


StpLam 


•;  T,  a;  :  Hi  h  M  :  H2 

•;  T  h  Aa; :  Hi .  M  :  Hi  — ?■  H2 

T  h  Ml  :  H2  ^  Hi  T  h  M2  :  H2 

Case:  - StpApp 

T  h  Ml  M2  :  Hi 
T  h  Ml  :  H2  — ?■  Hi 

•;  T  h  Ml  :  H2  — ?■  Hi 

T  h  T  :  M2H2 

•;  T  h  T  :  M2H2 
•;  T  h  Ml  M2  :  Hi 


by  application  of  T pVarReg 


by  application  of  T pConst 


by  assumption 
by  ind.  hyp. 
by  application  of  TpLam 


by  assumption 
by  ind.  hyp. 
by  assumption 
by  ind.  hyp. 
by  application  of  T pApp 

□ 


Theorem  9.2  (Conservative  Extension) 

//  •;  T  h  M  :  H  then  ThMfrV:H  andThEffH 

Proof:  •;  T  h  M  :  H 

^  T  h  M  fr  V  :  H 
^  T  h  V  fr  H 


by  assumption 

by  theorem  7.48  (1) 

by  lemma  7.2  (1) 
□ 
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